Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Cluster manager troubleshooting

Darkvader
Explorer
‎04-01-2026 05:59 AM

Search peer appprd09 has the following message: The current bundle directory contains a large lookup file that might cause bundle replication fail. The path to the directory is /opt/splunk/var/run/xyz.bundle

Search peer appprd09 has the following message: Splunk has found 1 orphaned searches owned by 1 unique disabled users.

Greetings all,

 

I received the above messages in the cluster manager. How do I identify what that bundle consists of, the orphaned search best troubleshooting steps and is there a troubleshooting doc/video I can use to learn more?

0 Karma
Reply

kknairr
Contributor
‎04-01-2026 07:36 AM

@Darkvader These two issues are most common in many Splunk deployments and will address them separately.

For the first one, bundle replication may fail warning - usually caused by large lookup files (often CSVs) included in the search head bundle. This issue is documented in the Splunk knowledge base and refer it for solution.

Solution: Distributed Bundle Replication Manager: The current bundle directory contains a large lookup file th...

Secondly, for Orphaned Searches messages indicates there are active scheduled searches which are owned by disabled or deleted user accounts, may be a user who left the organization. The recommended resolution is to reassign ownership to an active account or disable the search if it is no longer needed.

Refer: Manage orphaned knowledge objects | Splunk Enterprise (last updated 2025-07-04T01:22:43.095Z)

Solution: Orphaned Scheduled Searches, Reports, and Alerts are missing. | Splunk

>>

If this post addressed your question, you can:

  • Give it karma to show appreciation 👍
  • Mark it as the solution if it solved your issue ✔️
  • Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

 

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...