Solved: Knowledge bundle Error : directory contains large ...

Master_Blaster · ‎04-02-2021

Hi All,
I have an Warning message on my search head GUI as below:

"The current bundle directory contains a large lookup file that might cause bundle replication fail. The path to the directory is /opt/splunk/var/run/hostename-randomnumber-randomnumber.delta"

When i validated respective delta file, it's not even one MB. Still getting this Warning message frequently. Could anyone please help ? i see same messages on splunkd.log too.

-rw------- 1 root root 188M Apr 2 10:36 hostname-1617352591.bundle
-rw------- 1 root root 80K Apr 2 10:36 hostname-1617352525-1617352591.delta

richgalloway · ‎04-02-2021

That warning is triggered by a lookup file that is larger than 50MB. If this is not a concern for you then consider changing the value of conf_replication_summary.concerning_file_size in server.conf.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎04-02-2021

That warning is triggered by a lookup file that is larger than 50MB. If this is not a concern for you then consider changing the value of conf_replication_summary.concerning_file_size in server.conf.

---
If this reply helps you, Karma would be appreciated.

rajuljain · ‎02-08-2022

How to get the lookup file name causing issue?

richgalloway · ‎02-08-2022

Examine the bundle file. tar -tf <bundle-file-name>

---
If this reply helps you, Karma would be appreciated.

Knowledge bundle Error : directory contains large lookup file

troubleshooting

using Splunk Enterprise

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies