Monitoring Splunk

Knowledge Bundle Cache?

Strype
Path Finder

I had two large apps causing my knowledge bundle to time out. I deleted both app folders in etc apps and in etc user admin. The knowledge bundle has not shrunk and the warnings and errors continue:

04-16-2013 14:39:49.268 -0500 WARN DistributedBundleReplicationManager - bundle replication to 1 peer(s) took too long (10624ms), bundle file size=45110KB, replication_id=1366141178host=SERVER Options|

source=Splunk Home\var\log\splunk\splunkd.log Options|

component=DistributedBundleReplicationManager Options|

log_level=WARN Options

I did this same thing on the test system and it worked. On the live system, it doesn't. The knowledge bundle shouldn't be more than a couple of MB now.

Anybody know?

Thanks,

0 Karma

u07t04
Engager

Did this worked for you? Please let me know.Thanks!

0 Karma

mookiie2005
Communicator

Look at your distsearch.conf file in: Splunk_home\etc\apps\windows\local

Add the stanza:

[replicationBlacklist]
nontsyslogmappings = apps\windows\lookups\ntsyslog_mappings.csv

this will blacklist the above file (ntsyslog_mappings.csv) so it is not included in the knowledge bundle. You can make the name anything you like for each file you wish to backlist. Run a search on your etc/apps, etc/system, etc/users and blacklist large files that are not needed for the searches. Be careful not to get over zealous in what you blacklist. Hope this helps you.

0 Karma

Strype
Path Finder

I did. I think I have a solution. I'm going to add shareBundle=false into the distsearch.conf and restart. Then I'll change it to true and restart. I bet that will purge that old bundle info out of there. I'll post if it works.

0 Karma

kristian_kolb
Ultra Champion

restart splunkd?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...