slow distributed search (DistributedBundleReplicat...

tawollen · ‎12-01-2010

We have 2 search heads, one is a lab box, so lower performance 4 way 8gig ram, but very few people use it. The other is a 16 way box. Our primary search head does no indexing locally at all, the lab box does some, (10,000 events/day). For some reason, the lab box seems REAL slow when doing searches, system load/memory is all good.

The only thing I have found in the logs is the following: From Lab box 12-01-2010 23:48:57.669 WARN DistributedBundleReplicationManager - bundle replication to 8 peer(s) took too long (227349ms), bundle file size=143900KB

From production: 12-01-2010 19:29:16.536 WARN DistributedBundleReplicationManager - bundle replication to 10 peer(s) took too long (10474ms), bundle file size=4130KB

I can't find any real reference to DistributedBundleReplicationManager in any documentation. The 'bundle replication" is taking a lot longer, and I am wondering if the "bundle file size" is making the one system slower than the other.

Any thoughts?

gkanapathy · ‎12-02-2010

Do you have a very large lookup file or something inside one of the apps on your slow search head?

araitz · ‎01-14-2011

Does some content in your apps change a lot? Seems like a slow connection if it takes >10s to transfer <4 MB.

tawollen · ‎12-31-2010

We have some lookups, nothing that big, at least not in the app I am using, there might be something in one of the other apps.

slow distributed search (DistributedBundleReplicationManager ?)

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...