Knowledge Management

what does these files from searchhead mean?

Reethika
Path Finder

Hi,

What does these files mean. 

In dir /opt/splunk

1.5M    rsa_scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD5ba43509e6e89712f_at_1593296280_9250_98A434A0-EF12-4A03-865F-58FC89DB3621
1.5M    scheduler__nobody_U0EtSWRlbnRpdHlNYW5hZ2VtZW50__RMD5f155b8fe52024c5b_at_1593277800_8402_D42B43D6-7CD8-49F4-8960-5743B7FBF310

 

Thanks. 

 

Labels (3)
0 Karma

anilchaithu
Builder

@Reethika 

Is this dispatch directory disk space warning occurring across all the search heads? If it's on one node you can move/delete them since they are available on the other SH nodes.

Its better to delete the older artifacts first.

https://docs.splunk.com/Documentation/Splunk/8.0.4/Search/Dispatchdirectoryandsearchartifacts#Clean_...

Hope this helps

sylim_splunk
Splunk Employee
Splunk Employee

Whenever search runs it creates search artifacts in  $SPLUNK_HOME/var/run/splunk/dispatch

"scheduler__nobody_U0EtSWRlbnRpdHlNYW5hZ2VtZW50" is created by scheduled search in SA-IdentityManagement (decoded from base64 of U0EtSWRlbnRpdHlNYW5hZ2VtZW50)

Another one starting with "rsa_scheduler__nobody_U3BsdW5rX1NBX0NJTQ" is replicated search artifacts for the sched search, "scheduler__nobody_U3BsdW5rX1NBX0NJTQ_..." according to your shclustering replication_factor.

 

Reethika
Path Finder

Thanks @sylim_splunk  @anilchaithu 

In times of high disk utilization, can we delete them manually? Is it recommended? 

0 Karma

anilchaithu
Builder

@Reethika 

Did you find these in dispatch directory (/opt/splunk/var/run/splunk/dispatch)? These are search artifacts. whenever you run search (either saved OR adhoc) it created these artifacts on the same node. 

when the job expires these artifacts gets deleted.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...