Hi All, I have an Warning message on my search head GUI as below:
"The current bundle directory contains a large lookup file that might cause bundle replication fail. The path to the directory is /opt/splunk/var/run/hostename-randomnumber-randomnumber.delta"
When i validated respective delta file, it's not even one MB. Still getting this Warning message frequently. Could anyone please help ? i see same messages on splunkd.log too.
-rw------- 1 root root 188M Apr 2 10:36 hostname-1617352591.bundle-rw------- 1 root root 80K Apr 2 10:36 hostname-1617352525-1617352591.delta
That warning is triggered by a lookup file that is larger than 50MB. If this is not a concern for you then consider changing the value of conf_replication_summary.concerning_file_size in server.conf.
View solution in original post
How to get the lookup file name causing issue?
Examine the bundle file. tar -tf <bundle-file-name>