Re: Dispatch Alert Question

daniel333 · ‎12-26-2018

all,

I am getting a dispatch count alert . Indexers and search heads have plenty of RAM, CPU and IO is almost nothing. I can't think of a reason for this to start to backup. Honestly the environment is under almost no load.

My knee jerk here is to increase the jobs per CPU count. But wondering what others think here?

Dispatch Command: The number of search artifacts in the dispatch directory is higher than recommended (count=6444, warning threshold=5000) and could have an impact on search performance. Remove excess search artifacts using the "splunk clean-dispatch" CLI command, and review artifact retention policies in limits.conf and savedsearches.conf. You can also raise this warning threshold in limits.conf / dispatch_dir_warning_size.

zippyopsadmin · ‎10-15-2019

this solution i think work buddy
./splunk clean-dispatch run the command
splunkd clean-dispatch '' ''

p_gurav · ‎12-26-2018

Did you try cleaning dispatch directory?

90509 · ‎05-16-2020

could you please let me know where should i clean is it in indexer or search head ? i got message on one of the dev search head saying that "search peer has following message " . so , where should i run the below command if clean dispatch is it impacts anything ?

Dispatch Alert Question

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation