Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Controlling dispatch directory growth

mark
Path Finder
‎09-04-2012 05:05 PM

Hi,

We have a continual issue in our environment with the $SPLUNK_HOME/var/run/dispatch directory growing out of control – constantly above 2000 directories and decreasing system performance.

There are 2 usecases that seem to cause the biggest issue:
1. Realtime searches that alert frequently. In this case I see that a new result(and directory) is created every 1 -2 minutes. This has the ability to create up hundreds of directories within a few hours. Most of these realtime alerts are already restricted to a 24 hour retention, however this doesn’t help if alerts are triggered all night, then there are easily 500+ directories by the morning for just one search...

  1. Scheduled searches that are setup to executed frequently with a few days retention. We recently had a user setup a search at 5 minute intervals with a 30 day retention… This created a slow growth of 1152 directories over 4 days....

Between these two usecases we often have Splunk exceeding 3000+ directories quite freqently.

I’m curious how other people are managing this?

In some circumstances it makes sense to retain results for 30 days; in the case of a daily search.
It also makes sense for critical monitoring to have frequent alerts. However, a combination of both creates too many directories in dispatch for Splunk to operate efficiently.

Is there a mechanism to enforce job retention to a particular user role? ie 24hours only

Is there any mechanism to alter how the dispatch directory operates? Even sub folders per app or per user would really help in this case…

Mark

Tags (3)
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-04-2012 06:56 PM

You should simply change the retention periods of your saved searches. They are controlled by the ttl or timeout parameter, though depending on how the search is scheduling, there are many places the value may be set or overridden. See the savedsearches.conf and alert_actions.conf files.

As for users, you can use roles to limit the amount of space a user uses, which indirectly should limit the number of jobs they keep around.

Reply

mendesjo
Path Finder
‎05-06-2016 07:44 AM

Thanks for the answer.. but as someone new to splunk.. my goodness there are a million savedsearches.conf which one?

0 Karma
Reply

kamal_jagga
Contributor
‎01-06-2019 01:41 PM

Go in to the app which is having maximum searches or least useful. In its local directory, make a limits.conf and update the ttl value.

ttl =
* The time to live (ttl), in seconds, of the cache for the results of a given
subsearch.
* Do not set this below 120 seconds.
* See the definition in the [search] stanza under the “TTL” section for more
details on how the ttl is computed.
* Default: 300 (5 minutes)

https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Limitsconf

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...