what does these files from searchhead mean?

Reethika · ‎06-29-2020

Hi,

What does these files mean.

In dir /opt/splunk

1.5M rsa_scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD5ba43509e6e89712f_at_1593296280_9250_98A434A0-EF12-4A03-865F-58FC89DB3621
1.5M scheduler__nobody_U0EtSWRlbnRpdHlNYW5hZ2VtZW50__RMD5f155b8fe52024c5b_at_1593277800_8402_D42B43D6-7CD8-49F4-8960-5743B7FBF310

Thanks.

anilchaithu · ‎07-02-2020

@Reethika

Is this dispatch directory disk space warning occurring across all the search heads? If it's on one node you can move/delete them since they are available on the other SH nodes.

Its better to delete the older artifacts first.

https://docs.splunk.com/Documentation/Splunk/8.0.4/Search/Dispatchdirectoryandsearchartifacts#Clean_...

Hope this helps

sylim_splunk · ‎06-29-2020

Whenever search runs it creates search artifacts in $SPLUNK_HOME/var/run/splunk/dispatch

"scheduler__nobody_U0EtSWRlbnRpdHlNYW5hZ2VtZW50" is created by scheduled search in SA-IdentityManagement (decoded from base64 of U0EtSWRlbnRpdHlNYW5hZ2VtZW50)

Another one starting with "rsa_scheduler__nobody_U3BsdW5rX1NBX0NJTQ" is replicated search artifacts for the sched search, "scheduler__nobody_U3BsdW5rX1NBX0NJTQ_..." according to your shclustering replication_factor.

Reethika · ‎06-29-2020

Thanks @sylim_splunk @anilchaithu

In times of high disk utilization, can we delete them manually? Is it recommended?

anilchaithu · ‎06-29-2020

@Reethika

Did you find these in dispatch directory (/opt/splunk/var/run/splunk/dispatch)? These are search artifacts. whenever you run search (either saved OR adhoc) it created these artifacts on the same node.

when the job expires these artifacts gets deleted.

what does these files from searchhead mean?

event type

field extraction

summary indexing

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?