Could anyone please tell me whatare all the bundles present in /opt/splunk/var/run/searchpeers location.
This location is kind of holding lot of data and disk space is almost full.
From what i saw this location is holding configurations of all the search heads contacting this indexer.
But for each search head there are around 5 copies of bundles with different timestamps
SearchHead1-1384788323 Mon, 18 Nov 2013 15:25:23 GMT
SearchHead1-1384796779 Mon, 18 Nov 2013 17:46:19 GMT
SearchHead1-1384810416 Mon, 18 Nov 2013 21:33:36 GMT
SearchHead1-1384810689 Mon, 18 Nov 2013 21:38:09 GMT
SearchHead1-1384811445 Mon, 18 Nov 2013 21:50:45 GMT
Is there a way i can restrict these many number of copies and let only the latest be present.
Or any other option to restrict this please let me know
you should not delete bundles unless you want to mess up Splunk. For the moment I cannot tell you if there is a conf option to limit that. If I find something, I'll get back to you.
As of Aug 16, 2016 - I can't find a way to limit the space. BUT, you can clean up the older bundles. The best thing is to keep the latest bundle (and delta file) for each search head.
You can make the bundles smaller by disabling apps on the search head that you are not using. For example, I am not using the splunk_archiver app which is enabled by default. Disabling it saves approximately 40MB per bundle - not a lot unless you have many copies of bundles.
In a really desperate case, you can stop Splunk and then remove the entire $SPLUNK_HOME/var/run/searchpeers directory for the indexer(s), then restart Splunk. Now each search head will have to resend its bundle, but it should recover some space...
Thanks MuS. That helped but one more query.there are multiple bundles for same search head. Do you have any idea why these many copies are being stored. Cant we have only latest copy and delete the old bundles?