Getting Data In

How do I get Splunk to limit the Windows file path to under 260 characters?

Path Finder

Getting the following Error on one of our clustered indexers (and similar ones on the other indexers):

10-26-2016 16:20:03.362 -0500 ERROR SearchResultsWriter - Unable to open output file: path=C:\Program Files\Splunk\var\run\splunk\dispatch\remote_SplunkSH02_scheduler__admin_c3BsdW5rX2FwcF93aW5kb3dzX2luZnJhc3RydWN0dXJl__RMD5e93ff07c552f3ee0_at_1477516800_3187_F5AAE4E2-7A34-4327-8CDA-83913FB48502\index_buckets.csv.647C07D6-2813-4D98-AD2E-ED1FCACEB554.tmp error=The system cannot find the path specified.

Background: 3 Indexer Cluster, all running on Windows. 3 Search Head Cluster, also Windows.

The directories all exist, the permissions are set correctly, and the file itself does not exist. When these errors occur, the RAM usage goes through the roof and quite often it ends up crashing splunkd on the indexer.

Spoiler Alert:

I know why the error is occurring. It's because in all of M$'s glory, they still hard code the file path limit to 260 characters. This file path is 264 characters. Now, how do I get Splunk to limit the file paths to under 260 characters?

Labels (1)
1 Solution

SplunkTrust
SplunkTrust

One option: Move Splunk to c:\splunk

View solution in original post

New Member

I would suggest to use Long Path Tool program. It resolves problem regarding source path too long.

0 Karma

New Member

Hi, for problems concerning path too long issues, I suggest you try the new long path tool. This can help you with all kinds of path too long cases,

0 Karma

New Member

Another way to solve the long path issue is to use Long Path Tool.
Simple and easy. Worked for me!

0 Karma

SplunkTrust
SplunkTrust

This is a newer option that’s only available on select versions of Windows 10 iirc.

Great vendor supplied option if you’re OS is compatible.

0 Karma

Path Finder

Can I add a "me too" to this thread ?
SplunkEnterpriseSecuritySuite searches fall foul of this as well

0 Karma

Path Finder

Also just for the record, moving the default installation to a shorter path also fixed our problems with our ES search head as well, and now things are much better!

We also changed our ES search head to be installed on Linux, and got better performance in general, but in theory if you had ES running on a Windows based search head, changing the install path on that as well should alleviate any problems you'd have on the search head with temp files, and changing the install path on the indexers I can definitively say alleviates the errors that were occurring on the indexers.

0 Karma

Path Finder

If i remember correctly (we have now migrated off Windows indexers), the issue was most critical on the indexers not the search heads.

I moved the installs from c:\Program Files\Splunk to c:\S, in the process winning back 18 characters of pathname space. It sort of helped, but there were still dispatch directories exceeding 255 characters and truncating.

Do any of the more modern windoze releases permit >256 pathnames ?

0 Karma

SplunkTrust
SplunkTrust

Looks like windows 10 supports “extended path names”.

NTFS supports super long paths but it’s MS code that does not.

0 Karma

SplunkTrust
SplunkTrust

One option: Move Splunk to c:\splunk

View solution in original post

SplunkTrust
SplunkTrust

Good point but what if you symlinked c:\asdf to the Splunk dir, and then changed the service to execute c:\asdf\bin\splunk.exe

Might work

Did you rename those searches though?

0 Karma

Path Finder

Circling back to close this up... finally...
Nope, Turns out the best solution for us was to reinstall Splunk, and move the necessary Conf files from the original location to the new one, as was jkat's original solution.

0 Karma

SplunkTrust
SplunkTrust

http://docs.splunk.com/Documentation/Splunk/6.5.0/Search/Dispatchdirectoryandsearchartifacts

If the name of the search is less than 20 characters and contains only ASCII alphanumeric characters, then the search-specific directory name includes the search name.

If the name of the search is 20 characters or longer, or contains non-alphanumeric characters, then a hash is used instead. This is to ensure a search-specific directory named by the search ID can be created on the filesystem.

So, is your search name longer than 20 characters and causing a hash (It appears so)?

If so, Option 2: shorten your search name

I think the more reliable option is Option 1 however, move splunk to c:\splunk. You'll never know when someone is going to create a search name longer than 20 chars.

Also someone should file an enhancement request / bug report here.

Enhancement = Let us specify the number of chars in the hashing algo
Bug = Causes issues on windows out of box

0 Karma

New Member

I would suggest to use Long Path Tool program. It resolves problems regarding the source path too long.

0 Karma

Path Finder

sourcetype=wineventlog =22 characters.
You're not going to get anywhere with a 20 character search, so I agree that's a bad option. I could move the Splunk install location, but even that's not a great option, and would take some time to rip it out, clean it up, and put it all back together, then repeat two more times to get all three indexers back up. This is definitely something that's in need of a bug/enhancement request.

Even better than the request to specify the number of chars in hashes, would be to allow us to specify the location where the hashed directories are created. Then I could map a drive to wherever I wanted, and just use the letter to specify where they go. For example if there was a conf that included:

[hashConfig]
hashPath = H:

then I could map H to C:\Program Files\Splunk\var\run\splunk\dispatch\
And then the files would be in the exact same location, but would be accessible because the file path for H:\ is only 3 characters.

0 Karma

SplunkTrust
SplunkTrust

no no no... not a 20 character search... a 20 character search NAME. When you save the search... the NAME you give it is what they're talking about in the link.

what if you sym linked the dispatch directory to a lower directory?

start->run->cmd
mklink /?
mklink /J "C:\Program Files\Splunk\var\run\splunk\dispatch\"  H:\

Might want to stop splunk before doing this, and start it afterwards. Might even require a reboot. Honestly i've never used symlinks in windows but the mklink /? shows the syntax.

0 Karma

Path Finder

Just for the record...I didn't create the searches that are causing this problem. I finally figured out where they're coming from. It's the pre-defined searches (aka "Guided Setup") that the Splunk App for Windows Infrastructure runs to verify that the proper data is flowing into Splunk, and to pre determine what panels to setup in the App.

Also, Symbolic Linking it wouldn't alleviate the problem, unless you could tell Splunk to use the sym link instead of the default path. The problem isn't that there's no space, or that the space can't be accessed. I could in theory create an H:\ and then add 257 characters again for a grand total of 500 characters, but windows won't let you work past 260 in the NAME of the path, so unless splunk lets me change the file path to the dispatch directory, windows won't allow it.

0 Karma

Ultra Champion
0 Karma

Path Finder

I agree that will be lovely... In the future. Assuming they don't back out again, like they did for Server 2k12.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!