Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Monitoring Console: How do i find the number of excessive artifacts or bundles and remove the excess?

scottrunyon
Contributor
‎01-10-2017 12:16 PM

In Monitoring Console, under Distributed Search: Instance, the average times for "Time to Reap Knowledge Bundle Directory" and "Time to Reap Dispatch Directory" are showing very long times. 593,038 ms for the Knowledge bundle and 1,151,252 for the Dispatch Directory. The notes at the bottom of say that this caused by storage performance issues or excessive number of bundles or artifacts.

My question is how do I find the number of bundles/artifacts and clear out any excess?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-10-2017 01:52 PM

I don't know if this is a best practice, but I simply go to the directories and search for any files that have not been modified in the past week - then delete them. This seems to work and you could probably even use a more recent cutoff. I used 7 days because that is the longest time that someone could save their search results (which are kept in the dispatch directory) - at least in my particular case.
I've scripted this and it runs nightly.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

scottrunyon
Contributor
‎01-12-2017 07:08 AM

Looking closer at the dashboard for this, there are values for MAX values for these instances. The MAX values are a lot lower, 2145 ms max for the "Time to Reap Knowledge Bundle Directory" and 3085 ms max for the "Time to Reap Dispatch Directory". I seem to remember from math class that the average should be lower than the maximum value. Could there be some calculation problem in the underlying search for the dashboard?

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-10-2017 01:52 PM

I don't know if this is a best practice, but I simply go to the directories and search for any files that have not been modified in the past week - then delete them. This seems to work and you could probably even use a more recent cutoff. I used 7 days because that is the longest time that someone could save their search results (which are kept in the dispatch directory) - at least in my particular case.
I've scripted this and it runs nightly.

0 Karma
Reply
Solved! Jump to solution

SamHTexas
Builder
‎04-01-2021 02:06 PM

Thank u for your message. What are path to these directories / Could they be accessed via GUI?

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...