Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Knowledge bundle size issues

muradgh
Path Finder
‎04-10-2023 04:14 AM

Hi All,

I have this error message on the SH in Splunk:
{

Knowledge bundle size=3525MB exceeds max limit=2048MB. Distributed searches are running against an outdated knowledge bundle. Please remove/disable files from knowledge bundle or increase maxBundleSize in distsearch.conf.

}

What I did is increase the maxBundleSize in distsearch.conf :
I did this command on the server:
/opt/splunk/bin/splunk btool distsearch list --debug | grep maxBundleSize
and the result is:
/opt/splunk/etc/system/default/distsearch.conf                  maxBundleSize = 2048
So inside the /opt/splunk/etc/system/local/distsearch.conf I added the:

[replicationSettings]
maxBundleSize = 4000

Restarted Splunk, and noticed that the first error message is gone, but a new Yellow warning appeared:
{

The current bundle directory contains a large lookup file that might cause bundle replication fail. The path to the directory is /opt/splunk/var/run/InvestBank-SH-1-1681121119-1681121612.delta.

}

muradgh_0-1681123932468.png


So I went to this path to check what is going on there:
cd /opt/splunk/var/run

muradgh_1-1681124580843.png

I have found 2 large files and one medium.
Can someone please advise me on what to do past this point? 

I have found someone posted to check the below search:
index =_internal sourcetype=splunkd component=Archiver Archiving large_file=*
| stats count latest(size_in_bytes) by large_file

muradgh_2-1681125073509.png

I don't know if this has any relation to the subject.



Please note that my Splunk environment is not a cluster.

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-10-2023 05:24 AM

Look inside the large bundle files (they're just tarballs) to see what's making them so large.  It's probably one or more huge lookup files.  Make sure the lookups are expected to be that big as it's possible a bad search is appending rather than replacing data in the lookup.

If the lookup needs to be that large then remove it from the replication bundle ([repicationDenyList] in distsearch.conf) and distribute it to the indexers via another method.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...