Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Knowledge Bundle

CarsonZa
Contributor
‎02-03-2022 12:07 PM

I was investigating bundle sizes coming from one of my SHC and came across several apps in the bundle that had the following in the lookup directory. Qualys is just one example there are several other apps where index.default and index.alive are present. Can someone tell me what these are and what they're doing in a knowledge bundle.

qualys_kb.csv_1534282613.index.default

qualys_kb.csv_1643803241.755269.cs.index.alive

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

burwell
SplunkTrust
SplunkTrust
‎02-04-2022 04:44 PM

Hi. I see people talking about the issue on Splunk's slack usersgroups instance in the admin channel.

I pinged you there.

There is mention that the .alive indicates that activity is happening.

If you don't want that in your knowledge bundle I would blacklist it, but it is a good question.

View solution in original post

Reply
Solved! Jump to solution

burwell
SplunkTrust
SplunkTrust
‎02-04-2022 12:00 PM

Hi. Have you looked at the distsearch settings wrt bundles?

https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Limittheknowledgebundlesize

So in the distsearch.conf there is both replicationWhitelist and replicationBlacklist.

These are regex that specify what gets put into the knowledge bundles.

To find out exactly what is in place, use btool on your Splunk Search head and examine the setting. I like to add --debug in order that I can see exactly which app is contributing to the setting. By that I mean an app can have a distsearch.conf, you might have settings in etc/system/local/distsearch.conf etc


/opt/splunk/bin/splunk btool distsearch list replicationWhitelist --debug

/opt/splunk/bin/splunk btool distsearch list replicationBlacklist --debug

 

For example for me

/opt/splunk/bin/splunk btool distsearch list replicationWhitelist --debug
[replicationWhitelist]
/opt/splunk/etc/apps/splunk_archiver/default/distsearch.conf javabin = apps/splunk_archiver/java-bin/...
/opt/splunk/etc/system/default/distsearch.conf               kvstore = kvstore_*/...
/opt/splunk/etc/system/default/distsearch.conf               other = (system|(apps/(?!pdfserver)*)|users(/_reserved)?/*/*)/(bin|lookups)/...

(etc)
0 Karma
Reply
Solved! Jump to solution

CarsonZa
Contributor
‎02-04-2022 01:29 PM

Thank you for the response. I am familiar with replicationblacklist, however my questions is what are index.default and index.alive doing in a lookup directory in a knowledge bundle.

0 Karma
Reply
Solved! Jump to solution
Solution

burwell
SplunkTrust
SplunkTrust
‎02-04-2022 04:44 PM

Hi. I see people talking about the issue on Splunk's slack usersgroups instance in the admin channel.

I pinged you there.

There is mention that the .alive indicates that activity is happening.

If you don't want that in your knowledge bundle I would blacklist it, but it is a good question.

Reply
Solved! Jump to solution

CarsonZa
Contributor
‎02-04-2022 07:40 PM

Thank you,  im gonna add the details from Slack for anyone else who might come across this. 

"...Once a lookup exceeds the max memtable limit, Splunk will bucketify it, creating a kind of mini index."

So if you're seeing index.alive or index.default just backlist the respective lookup in distsearch.conf and in rare circumstance you could increase max_mem_usage_mb in limits.conf

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎02-04-2022 01:57 PM

I have seen even some tsidx files there… I just found those, so I haven’t have time to figure out wha5 and why those are there. I hope that someone knows that already.

Splunk 7.3.3 SHC with multisite IDX cluster.

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...