Splunk Search

Dispatch Alert Question



I am getting a dispatch count alert . Indexers and search heads have plenty of RAM, CPU and IO is almost nothing. I can't think of a reason for this to start to backup. Honestly the environment is under almost no load.

My knee jerk here is to increase the jobs per CPU count. But wondering what others think here?

Dispatch Command: The number of search artifacts in the dispatch directory is higher than recommended (count=6444, warning threshold=5000) and could have an impact on search performance. Remove excess search artifacts using the "splunk clean-dispatch" CLI command, and review artifact retention policies in limits.conf and savedsearches.conf. You can also raise this warning threshold in limits.conf / dispatch_dir_warning_size.
0 Karma

New Member

this solution i think work buddy
./splunk clean-dispatch run the command
splunkd clean-dispatch '' ''

0 Karma


Did you try cleaning dispatch directory?

0 Karma


could you please let me know where should i clean is it in indexer or search head ? i got message on one of the dev search head saying that "search peer has following message " . so , where should i run the below command if clean dispatch is it impacts anything ?

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.