Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Monitoring Console: How do i find the number of excessive artifacts or bundles and remove the excess?

scottrunyon
Contributor
‎01-10-2017 12:16 PM

In Monitoring Console, under Distributed Search: Instance, the average times for "Time to Reap Knowledge Bundle Directory" and "Time to Reap Dispatch Directory" are showing very long times. 593,038 ms for the Knowledge bundle and 1,151,252 for the Dispatch Directory. The notes at the bottom of say that this caused by storage performance issues or excessive number of bundles or artifacts.

My question is how do I find the number of bundles/artifacts and clear out any excess?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-10-2017 01:52 PM

I don't know if this is a best practice, but I simply go to the directories and search for any files that have not been modified in the past week - then delete them. This seems to work and you could probably even use a more recent cutoff. I used 7 days because that is the longest time that someone could save their search results (which are kept in the dispatch directory) - at least in my particular case.
I've scripted this and it runs nightly.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

scottrunyon
Contributor
‎01-12-2017 07:08 AM

Looking closer at the dashboard for this, there are values for MAX values for these instances. The MAX values are a lot lower, 2145 ms max for the "Time to Reap Knowledge Bundle Directory" and 3085 ms max for the "Time to Reap Dispatch Directory". I seem to remember from math class that the average should be lower than the maximum value. Could there be some calculation problem in the underlying search for the dashboard?

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-10-2017 01:52 PM

I don't know if this is a best practice, but I simply go to the directories and search for any files that have not been modified in the past week - then delete them. This seems to work and you could probably even use a more recent cutoff. I used 7 days because that is the longest time that someone could save their search results (which are kept in the dispatch directory) - at least in my particular case.
I've scripted this and it runs nightly.

0 Karma
Reply
Solved! Jump to solution

SamHTexas
Builder
‎04-01-2021 02:06 PM

Thank u for your message. What are path to these directories / Could they be accessed via GUI?

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...