Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is the number of search artifacts in the dispatch directory higher than recommended?

splunkcol
Builder
‎08-17-2020 09:37 AM

The following error appears

"The number of search artifacts in the dispatch directory is higher than recommended (count=5155, warning threshold=5000) and could have an impact on search performance. Remove excess search artifacts using the "splunk clean-dispatch" CLI command, and review artifact retention policies in limits.conf and savedsearches.conf. You can also raise this warning threshold in limits.conf / dispatch_dir_warning_size."

After reviewing for a while in the forum I find that they mention the root /var2/splunk/splunk/var/run/splunk/dispatch  where they suggest to erase the oldest

somewhere they mention the jobs where it is recommended that they are not in real time

When entering via the web I find more than 700 jobs of which 10 are in progress and take more than 25 minutes, these jobs correspond to applications such as:

SA-ThreatIntelligence
DA-ESS-NetworkProtection
DA-ESS-EndpointProtection
SA-AccessProtection

how I should proceed?

Screenshot_4.png

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-17-2020 12:43 PM

may be some of your alerts are set to live for more number of days , thus Splunk can't delete the jobs.

dispatch.ttl = <integer>[p]
* Indicates the time to live (ttl), in seconds, for the artifacts of the
  scheduled search, if no actions are triggered.
* If the integer is followed by the letter 'p', the ttl is calculated as a
  multiple of the execution period for the scheduled search.
  For example, if the search is scheduled to run hourly and ttl is set to 2p,
  the ttl of the artifacts is set to 2 hours.
* If an action is triggered, the ttl is changed to the ttl for the action. If
  multiple actions are triggered, the action with the largest ttl is applied
  to the artifacts. To set the ttl for an action, refer to the
  alert_actions.conf.spec file.
* For more information on the ttl for a search, see the limits.conf.spec file
  [search] stanza ttl setting.
* Default: 2p, which is 2 times the period of the scheduled search

 

you can make use of below rest query to see if the setting is changed for any of your alerts:

 

| rest /services/saved/searches | search title="test alert" | table title dispatch.ttl

 

————————————
If this helps, give a like below.
0 Karma
Reply

juancamiloll
Explorer
‎08-19-2020 10:37 AM

 

today I see the same error message and there are no jobs running

When checking in other answers for this error message they refer to this folder where they recommend deleting the oldest files
But I see 3 types of files
the folder weighs 2Gb

 

is it safe to delete this information?

summarize.png

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...