knowledge bundle replication questions

cisaksen · ‎03-01-2021

We are setting up our first dedicated search head. Need some info of the Knowledge bundle replication process.

1) what is the maxbundlesize units ? the default 2048 - is this kb, MB etc...

2) does this replication process copy all the files from the ../apps ../users ../system to the search peer ? So that if you update a app on the search head it will automatically updated it on the search peer ?

3) what log does this process write to?

4) Is there a way to manually run this process, like from the command line or will simply restarting the splunk service kick it off?

Thanks

manjunathmeti · ‎03-02-2021

hi @cisaksen,

1. Yes maxBundleSize is in GB. The default value is 2GB.

2. Not all configuration files. Some configuration files (like authorize, props and transforms etc.) and assets like (csv/kvstore lookups etc) are copied to bundle. The search head replicates the knowledge bundle periodically in the background or when initiating a search.

3. metrics.log - indexed in _internal index.

index=_internal sourcetype=splunkd group=bundle*

4. No, The search head replicates the knowledge bundle periodically in the background or when initiating a search. You can run a search to replicate a newly cerated asset/config to search peers.

Check this page for more info: https://docs.splunk.com/Documentation/Splunk/8.1.2/DistSearch/Knowledgebundlereplication

If this reply helps you, an upvote/like would be appreciated.

knowledge bundle replication questions

administration

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...