Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Issues with Knowledge Bundle in Splunk Cluster (SHC + Index Cluster)

gfuente
Motivator
‎02-03-2015 07:48 AM

Hello all,

We have this Splunk 6.2.1 Architecture, on Linux VM machines:

3 SH in SHC
1 Master + Deployer
3 Cluster Peers

We have an app in the SHs, that contains a big lookup (200MB) that needs to be replicated to the 3 IDXs (for filtering purposes). It seems that we are having issues with the replication of the Knowledge Bundle, as we are getting this error on the SHs (while running a query):

[indexer1name] Search Process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in the search.log for this peer in the Job Inspector for more info.

And the same message for the other 2 indexers

So, i would like to know: Is the Mounted Knowledge bundle supported with SHC? (didn't found anything related in the docs: http://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Mounttheknowledgebundle)

What other options do we have, as we need to replicate this lookup into the IDXs?

Thanks

0 Karma
Reply

theunf
Communicator
‎06-07-2015 12:34 AM

I have the mounted bundle scenario working fine with :
7 SHs
1 Deployer
1 Master
8 Indexers

My knowledge bundle is also big in the number of apps, lookups and so on. Sometimes error also 255 appeared.

Used mounted bundles since SHP doing a rsync from the master, where the NFS exports was being shared, to all indexers.
With SHC it changed to a script that runs in all SHs :
1st the script checks who is the captain (splunk show shcluster-status)
if the captain is the SH running the script, it´ll rsync all non splunk default app to all indexers

Indexers distributedsearch.conf are the same from SHP .

Take a look at my question about deployer shcluser apps sync :
http://answers.splunk.com/answers/241549/how-to-prevent-deployer-from-pushing-old-content-w.html

0 Karma
Reply

ewoo
Splunk Employee
Splunk Employee
‎02-03-2015 09:46 AM

Mounted bundles introduce their own maintainence costs, especially in terms of understanding the performance requirements on the NFS server as search concurrency increases and the number of indexers grows.

Do you know why/how bundle replication is failing? What ERRORs/WARNs do you see on the search head in splunkd.log and on the indexers in splunkd.log/splunkd_access.log?

If it's not possible to make bundle replication work (e.g. due to network usage constraints), one other option is to blacklist the large lookup (via distsearch.conf) and then perform the lookup locally on the search head ( with "| lookup local=true").

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...