Monitoring Splunk

Monitoring Console: How do i find the number of excessive artifacts or bundles and remove the excess?

scottrunyon
Contributor

In Monitoring Console, under Distributed Search: Instance, the average times for "Time to Reap Knowledge Bundle Directory" and "Time to Reap Dispatch Directory" are showing very long times. 593,038 ms for the Knowledge bundle and 1,151,252 for the Dispatch Directory. The notes at the bottom of say that this caused by storage performance issues or excessive number of bundles or artifacts.

My question is how do I find the number of bundles/artifacts and clear out any excess?

0 Karma
1 Solution

lguinn2
Legend

I don't know if this is a best practice, but I simply go to the directories and search for any files that have not been modified in the past week - then delete them. This seems to work and you could probably even use a more recent cutoff. I used 7 days because that is the longest time that someone could save their search results (which are kept in the dispatch directory) - at least in my particular case.
I've scripted this and it runs nightly.

View solution in original post

0 Karma

scottrunyon
Contributor

Looking closer at the dashboard for this, there are values for MAX values for these instances. The MAX values are a lot lower, 2145 ms max for the "Time to Reap Knowledge Bundle Directory" and 3085 ms max for the "Time to Reap Dispatch Directory". I seem to remember from math class that the average should be lower than the maximum value. Could there be some calculation problem in the underlying search for the dashboard?

0 Karma

lguinn2
Legend

I don't know if this is a best practice, but I simply go to the directories and search for any files that have not been modified in the past week - then delete them. This seems to work and you could probably even use a more recent cutoff. I used 7 days because that is the longest time that someone could save their search results (which are kept in the dispatch directory) - at least in my particular case.
I've scripted this and it runs nightly.

0 Karma

SamHTexas
Builder

Thank u for your message. What are path to these directories / Could they be accessed via GUI?

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...