Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk SHC cluster bundle with ES errors: What configs can I change to increase this limit so I can use my SHC Deployer?

andrew207
Path Finder
‎01-27-2022 07:17 PM

I have an SHC and I am using an SHC Deployer to deploy apps to it. Those apps include Splunk ES which is very large. The latest 7.0.0 update for ES may be so large that it causes errors when I apply the cluster bundle.

I have tried increasing max_content_length in [httpServer] in server.conf, this did not work.

What configs can I change to increase this limit so I can use my SHC Deployer? It seems odd that I can't deploy an unmodified ES installation according to the documentation because it's beyond Splunk's limits. 

 

 

splunk apply shcluster-bundle -target xxx -auth xxx

Error while deploying apps to target=xxx with members=x: Error while updating app=Splunk_SA_Scientific_Python_Linux_x86_64 on target=xxx: Non-200/201 status_code=413; {"messages":[{"type":"ERROR","text":"Content-Length of 2147484959 too large (maximum is 2147483648)"}]},...repeated for each member

 

 

 

 

Labels (2)
Reply

amgibby
Engager
‎06-29-2022 01:07 PM

We had the same problem deploying the same app (Splunk_SA_Scientific_Python_Linux_x86_64) using the deployer. Under the hood, the deployer is using HTTP to push app bundles to the Search Head Cluster. The search heads (acting as an HTTP server) are rejecting the bundle for this app because it exceeds the default setting for content length.

You need to modify server.conf on the search heads to include the following setting:

[httpServer]
max_content_length = 5000000000

This changes the default setting from 2147483648 (about 2 GB) to 5 GB.

Reply

gjlewis
Explorer
‎09-12-2023 09:06 AM

This worked for me, thanks!

0 Karma
Reply

tshah-splunk
Splunk Employee
Splunk Employee
‎01-27-2022 11:32 PM

This is a known issue for PSC app to cause bundle size to increase exponentially and the reason to have PSC app installed on standalone instances other than the clusters. However, PSC comes bundled with ES and cannot be separated from that. I discovered one of the conf setting mentioned in the upgrade steps for ES is to change the max_upload_size parameter in web.conf and increase it's value. 

Here's the link to upgrade doc for ES to v7.0.0 in SHC environment - https://docs.splunk.com/Documentation/ES/7.0.0/Install/UpgradeEnterpriseSecuritySHC.

An upvote is appreciated if this helps you resolve the issue.

---
If you find the answer helpful, an upvote/karma is appreciated
Reply

dwraesner
Explorer
Saturday

Hello tshah-splunk,

Increasing the max_upload_size in web.conf worked in my case.

Gave you a Karma point.

Thanks  😎

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...