Splunk Search

Large lookup files.

drussell88
Explorer

I am getting a warning in my splunkd.log for DistributedBundleReplicationManger.
03-15-2013 08:44:28.028 -0400 WARN DistributedBundleReplicationManager - bundle replication to 1 peer(s) took too long (29578ms), bundle file size=64480KB, replication_id=1363351438.
I read that this may be caused by a large look up file. What is this file they are talking about and where do I find it? I am getting this error about once a minute and it is always the same size, so I am assuming it is the same file.

Tags (1)
0 Karma

Strype
Path Finder

Are you looking for all lookup files?

Manager» Lookups» Lookup table files

Likely a csv file used in a search. The knowledge bundle can be found at Splunk Home>var>run>searchpeers>(latest).bundle (that is a file so replace > with backslash), on the search peer. It'll be in there along with every other one you have.

I'm having a similar problem except that mine is past the warn stage.

martin_mueller
SplunkTrust
SplunkTrust

Your bundle is 64MB, so I guess there is 63MB worth of lookup files somewhere in /lookups of some distributed app.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...