Getting Data In

Is it safe to delete .bundle files from /opt/splunk/var/run/search peers ?

Hemnaath
Motivator

Hi All,

Currently we have an disk space issue in two of the splunk indexer instances and we have separate volume create for storing the indexed data. We found that /opt/splunk/var/run/search peers is consuming nearly 19 GB of disk space and /opt/splunk/var/lib/ is occupying some where around 15 GB most containing the splunk internal data.

Total disk space allotted for 47G 41G 4.1G 91% /opt

Question :

1) Is it safe to delete the .bundle files from this location for the indexer instances.
2) What will be the correct solution to prevent the disk crunch issue in future.

kindly guide me on this.

Tags (2)
1 Solution

CarsonZa
Contributor

yes it is safe to delete the bundles. How big are the bundles a piece?

View solution in original post

CarsonZa
Contributor

yes it is safe to delete the bundles. How big are the bundles a piece?

Hemnaath
Motivator

size of the single .delta file size is around 1.6 GB. Can we still delete the .delta file of this size.

0 Karma

CarsonZa
Contributor

yes, i would check to make sure you are not unnecessarily replicating apps you don't use and lookups that aren't useful.

0 Karma

Hemnaath
Motivator

Hi Carsonza, thanks for your inputs, I had found the issue we had a .csv with size of 661MB and along with other knowledge bundles and it was causing the replication issue. When checked the lookup file and found that it was broken, because the fields in the lookup table are data that is not relevant to ServiceNow. On fixing the lookup issue the .csv file size was reduce to 49 MB and it cleared the space issue.

0 Karma

CarsonZa
Contributor

good to hear, if my answer helped you reach this conclusion please accept my answer.

0 Karma
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...