Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Knowledge Bundle Cache?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Knowledge Bundle Cache?
I had two large apps causing my knowledge bundle to time out. I deleted both app folders in etc apps and in etc user admin. The knowledge bundle has not shrunk and the warnings and errors continue:
04-16-2013 14:39:49.268 -0500 WARN DistributedBundleReplicationManager - bundle replication to 1 peer(s) took too long (10624ms), bundle file size=45110KB, replication_id=1366141178host=SERVER Options|
source=Splunk Home\var\log\splunk\splunkd.log Options|
component=DistributedBundleReplicationManager Options|
log_level=WARN Options
I did this same thing on the test system and it worked. On the live system, it doesn't. The knowledge bundle shouldn't be more than a couple of MB now.
Anybody know?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did this worked for you? Please let me know.Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Look at your distsearch.conf file in: Splunk_home\etc\apps\windows\local
Add the stanza:
[replicationBlacklist]
nontsyslogmappings = apps\windows\lookups\ntsyslog_mappings.csv
this will blacklist the above file (ntsyslog_mappings.csv) so it is not included in the knowledge bundle. You can make the name anything you like for each file you wish to backlist. Run a search on your etc/apps, etc/system, etc/users and blacklist large files that are not needed for the searches. Be careful not to get over zealous in what you blacklist. Hope this helps you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did. I think I have a solution. I'm going to add shareBundle=false into the distsearch.conf and restart. Then I'll change it to true and restart. I bet that will purge that old bundle info out of there. I'll post if it works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
restart splunkd?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
