Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is the Splunk dispatch directory not getting cleaned up automatically, even after setting the dispatch.ttl in savedsearches.conf?

Plotkowski
Path Finder
‎11-23-2015 01:45 AM

We run into some issues in our Splunk environment.
We have a Splunk 6.3 indexer and search head. The dispatch directory on the search head is constantly growing and Splunk stops working after a few days. We then need to manually restart the search head.
After the restart, the dispatch directory is getting cleaned up automatically and only searches from the last 24h remain.
I already set the dispatch.ttl in savedsearches.conf to 86400. (1 day) But the artifacts in the directory remain for much longer until we restart the system.

We have about 10 scheduled searches with alarms which run every hour, so it is not that much.
Is there any way to fix the automatic clean-up of the directory or what is the best way to restart the search head automatically every night on a Windows system?

Reply

jkat54
SplunkTrust
SplunkTrust
‎01-01-2016 05:48 AM

Last time this happened to me there was another error causing the problem.

Please check index=_internal for any ERROR or WARN messages, and then fix all of them you can. In my case i had a datamodel that was deleted incorrectly and splunk was pounding the logs with "data model not found" errors. AND my issue completely disabled all scheduled searches, alerts, reports, and the sendemail command. After removing the saved search that referenced the missing data model, 10000 emails went out, performance increased, and the problems went away.

The issue was that Splunk was trying so hard to find the data model, it couldnt do anything else... all the maintenance tasks like emptying the old/obsolete search bundles were failing to execute because "splunk" was too busy.

0 Karma
Reply

jrubio1
New Member
‎01-14-2016 12:55 PM

ahhh I've seen some errors.. I'll look into cleaning that up and report back.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎01-14-2016 06:03 PM

I would be suspicious of anything that could hold up a scheduler... Missing searches, data models, infinite loop conditions, extremely long running searches, broken servers missing punctuation in conf files, etc. Good news is you have the best tool for finding needles in haystacks!

0 Karma
Reply

jrubio1
New Member
‎12-30-2015 12:31 PM

I'm having the same problem as well.. Will have to setup a .bat to clear out until solution is provided.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...