- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Guys,
So for some reason, I seem to have a few gigs of .bundle files in ProgramFiles/Splunk/var/run/searchpeers
They are all from a few days ago and there are none from what I can see for today or yesterday which I guess indicates there may have been an issue a few days back that's now resolved?
So my question is, is it safe to delete the files and also the folders that seem to accompany them?
Thanks as always
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's safe. I see -
$ ls *.bundle
apsrp2245-1464133286.bundle apsrp2245-1464996094.bundle apsrp2245-1466239379.bundle apsrp2252-1428717453.bundle
Nice discussion at knowledge bundle
It says -
-- The searchpeers directory retains up to five replicated bundles from each search head sending requests. If you delete them, they will be created again for the next search that needs that set of configurations. So technically you could remove older ones ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's safe. I see -
$ ls *.bundle
apsrp2245-1464133286.bundle apsrp2245-1464996094.bundle apsrp2245-1466239379.bundle apsrp2252-1428717453.bundle
Nice discussion at knowledge bundle
It says -
-- The searchpeers directory retains up to five replicated bundles from each search head sending requests. If you delete them, they will be created again for the next search that needs that set of configurations. So technically you could remove older ones ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi - Wondering wheter you should delete them on the indexers and on the search heads as well if you want to enforce a creation of a new bundle?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's safe yes but if 5 bundles are 2GB that puts them around 400MB a piece which is quite large and worth investigating as the bundle could have issues replicating if it hasn't already. Splunk states that above 200MB is a large bundle
http://docs.splunk.com/Documentation/Splunk/6.4.1/Indexer/Configurationbundleissues
Potentially there are items that could be blacklisted from being distributed to search peers to help remedy the situation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cheers Guys,
Had it confirmed from our 3rd Party support team also, deleted the files did a quick restart of the service and all seems to be running smoothly again, not quite sure what caused it but with our network it could have been many things.
Thanks for the responses 🙂
Aaron
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would try to start by looking at these bundle files to see what is in them that is so large. Large bundles sometimes have issues replicating to search peers so it's best to keep them as minimal as possible.
This will also help you determine what was going on when they were so large to make sure it doesn't happen again.
Bundle files are simply tar files so you should be able to explore them with any application that can open tar files. In Windows that might be 7-zip or a few other applications that are out there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you 🙂
