I have an indexer that seems to be having an issue keeping up with bundles with Splunk 5.0.5. I have been though S.O.S. looking for a cause, the only thing I see in the logs are timeouts waiting for the indexer to receive the bundle. There are 4 servers that maintain bundles with this indexer. This indexer is connected via fiber (10G).
Anyone have any ideas what is going on or where I could look to get more insight into this problem?
Shane, how big are the bundle files?
You can refer this
And see if the smaller bundles are being pushed without a timeout
Shane, how big are the bundle files?
You can refer this
And see if the smaller bundles are being pushed without a timeout
I found the issue after getting into the searchpeers folder. Turns out that we had someone from their desktop connecting to the indexer pool and sending a bundle about 600MB every 5 minutes.
They are about 100MB each.