Monitoring Splunk

What are the bundles present in /opt/splunk/var/run/searchpeers location

adityapavan18
Contributor

Could anyone please tell me whatare all the bundles present in /opt/splunk/var/run/searchpeers location.

This location is kind of holding lot of data and disk space is almost full.

From what i saw this location is holding configurations of all the search heads contacting this indexer.

But for each search head there are around 5 copies of bundles with different timestamps

SearchHead1-1384788323 Mon, 18 Nov 2013 15:25:23 GMT

SearchHead1-1384796779 Mon, 18 Nov 2013 17:46:19 GMT

SearchHead1-1384810416 Mon, 18 Nov 2013 21:33:36 GMT

SearchHead1-1384810689 Mon, 18 Nov 2013 21:38:09 GMT

SearchHead1-1384811445 Mon, 18 Nov 2013 21:50:45 GMT

Is there a way i can restrict these many number of copies and let only the latest be present.

Or any other option to restrict this please let me know

Tags (1)
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi adityapavan18,

you can find all the information in the docs abount what search heads send to search peers

hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi adityapavan18,

you can find all the information in the docs abount what search heads send to search peers

hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

you should not delete bundles unless you want to mess up Splunk. For the moment I cannot tell you if there is a conf option to limit that. If I find something, I'll get back to you.

lguinn2
Legend

As of Aug 16, 2016 - I can't find a way to limit the space. BUT, you can clean up the older bundles. The best thing is to keep the latest bundle (and delta file) for each search head.

You can make the bundles smaller by disabling apps on the search head that you are not using. For example, I am not using the splunk_archiver app which is enabled by default. Disabling it saves approximately 40MB per bundle - not a lot unless you have many copies of bundles.

In a really desperate case, you can stop Splunk and then remove the entire $SPLUNK_HOME/var/run/searchpeers directory for the indexer(s), then restart Splunk. Now each search head will have to resend its bundle, but it should recover some space...

0 Karma

adityapavan18
Contributor

Thanks MuS. That helped but one more query.there are multiple bundles for same search head. Do you have any idea why these many copies are being stored. Cant we have only latest copy and delete the old bundles?

0 Karma