Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk SHC cluster bundle with ES errors: What configs can I change to increase this limit so I can use my SHC Deployer?

andrew207
Path Finder
‎01-27-2022 07:17 PM

I have an SHC and I am using an SHC Deployer to deploy apps to it. Those apps include Splunk ES which is very large. The latest 7.0.0 update for ES may be so large that it causes errors when I apply the cluster bundle.

I have tried increasing max_content_length in [httpServer] in server.conf, this did not work.

What configs can I change to increase this limit so I can use my SHC Deployer? It seems odd that I can't deploy an unmodified ES installation according to the documentation because it's beyond Splunk's limits. 

 

 

splunk apply shcluster-bundle -target xxx -auth xxx

Error while deploying apps to target=xxx with members=x: Error while updating app=Splunk_SA_Scientific_Python_Linux_x86_64 on target=xxx: Non-200/201 status_code=413; {"messages":[{"type":"ERROR","text":"Content-Length of 2147484959 too large (maximum is 2147483648)"}]},...repeated for each member

 

 

 

 

Labels (2)
Reply

amgibby
Engager
‎06-29-2022 01:07 PM

We had the same problem deploying the same app (Splunk_SA_Scientific_Python_Linux_x86_64) using the deployer. Under the hood, the deployer is using HTTP to push app bundles to the Search Head Cluster. The search heads (acting as an HTTP server) are rejecting the bundle for this app because it exceeds the default setting for content length.

You need to modify server.conf on the search heads to include the following setting:

[httpServer]
max_content_length = 5000000000

This changes the default setting from 2147483648 (about 2 GB) to 5 GB.

Reply

gjlewis
Explorer
‎09-12-2023 09:06 AM

This worked for me, thanks!

0 Karma
Reply

tshah-splunk
Splunk Employee
Splunk Employee
‎01-27-2022 11:32 PM

This is a known issue for PSC app to cause bundle size to increase exponentially and the reason to have PSC app installed on standalone instances other than the clusters. However, PSC comes bundled with ES and cannot be separated from that. I discovered one of the conf setting mentioned in the upgrade steps for ES is to change the max_upload_size parameter in web.conf and increase it's value. 

Here's the link to upgrade doc for ES to v7.0.0 in SHC environment - https://docs.splunk.com/Documentation/ES/7.0.0/Install/UpgradeEnterpriseSecuritySHC.

An upvote is appreciated if this helps you resolve the issue.

---
If you find the answer helpful, an upvote/karma is appreciated
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...