Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Knowledge Bundle Cache?

Strype
Path Finder
‎04-16-2013 12:49 PM

I had two large apps causing my knowledge bundle to time out. I deleted both app folders in etc apps and in etc user admin. The knowledge bundle has not shrunk and the warnings and errors continue:

04-16-2013 14:39:49.268 -0500 WARN DistributedBundleReplicationManager - bundle replication to 1 peer(s) took too long (10624ms), bundle file size=45110KB, replication_id=1366141178host=SERVER Options|

source=Splunk Home\var\log\splunk\splunkd.log Options|

component=DistributedBundleReplicationManager Options|

log_level=WARN Options

I did this same thing on the test system and it worked. On the live system, it doesn't. The knowledge bundle shouldn't be more than a couple of MB now.

Anybody know?

Thanks,

0 Karma
Reply

u07t04
Engager
‎08-01-2013 10:56 AM

Did this worked for you? Please let me know.Thanks!

0 Karma
Reply

mookiie2005
Communicator
‎07-02-2013 07:25 AM

Look at your distsearch.conf file in: Splunk_home\etc\apps\windows\local

Add the stanza:

[replicationBlacklist]
nontsyslogmappings = apps\windows\lookups\ntsyslog_mappings.csv

this will blacklist the above file (ntsyslog_mappings.csv) so it is not included in the knowledge bundle. You can make the name anything you like for each file you wish to backlist. Run a search on your etc/apps, etc/system, etc/users and blacklist large files that are not needed for the searches. Be careful not to get over zealous in what you blacklist. Hope this helps you.

0 Karma
Reply

Strype
Path Finder
‎04-17-2013 09:10 AM

I did. I think I have a solution. I'm going to add shareBundle=false into the distsearch.conf and restart. Then I'll change it to true and restart. I bet that will purge that old bundle info out of there. I'll post if it works.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-16-2013 11:46 PM

restart splunkd?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...