Splunk Search

Mounted Bundle path - Search Head


How does the search head know the location of the mounted bundle? When you configure the mounted bundle you add this stanza to the distsearch.conf on the search head:

disabled_servers = pl-wlmsplpp02:8089
servers = pl-wlmsplpp03:8089,pl-wlmsplpp04:8089

Than on the search peers you would use the below:


Our question is how does the search head know the location of teh mounted bundle? We are seeing changes - like adding a new field - are being saved to the local directory on the search head and not the mounted bundle. How can we point the search head to the mounted bundle location?


Can we create a symlink in indexers for search peers bundles.

0 Karma


@divyavikas123 This thread is more than three years old. For a better chance at a helpful response, please post a new question describing your problem.

If this reply helps you, Karma would be appreciated.
0 Karma


Thanks DaClyde. No correction needed. It was just the direction I needed to figure out how to mount bundles in Windows. For the benefit of future readers, here are the specific steps I took. This is for one search head (searcher01) and one search peer (indexer01) with Splunk installed on 😧 drives in both cases.

On the search head searcher01...
Created a share etc$ giving Everyone READ permissions

net share etc$="D:\Program Files\Splunk\etc" /GRANT:Everyone,READ

Then edited distsearch.conf to set shareBundle = false.

Notepad.exe "D:\Program Files\Splunk\etc\system\local\distsearch.conf"

    servers = indexer01:8089
    shareBundles = false

(I didn't know whether to remove "servers = indexer01:8089" above so I left it, apparently wthout adverse affect.)

On the search peer indexer01...
Created a new directory and then linked to search head's etc$ share...

mkdir \shared-bundles
cd  \shared-bundles
mklink /D searcher01 \\searcher01\etc$

Created new file distsearch.conf with one stanza.

  Notepad.exe "D:\Program Files\Splunk\etc\system\local\distsearch.conf"

   mounted_bundles = true
   bundles_location = d:\shared_bundles\searcher01


As best as I can make out, the only way to make this work (since there is no configurable option in the search head as to where its ETC folder resides) is to use a symbolic link and mount the copy of the etc folder on the shared storage to where the search head would normally expect the etc folder to reside.

In Windows, there is now a mklink command for mounting a network share directly into the folder structure you want, similar to how *nix has always had.

If your knowledge bundle is here: \\NAS\KB\etc\

On the Windows you would use mklink something like this:

navigate to your %SPLUNK_HOME% location (something like C:\Program Files\Splunk) then execute the command from there:

mklink /D etc "\\NAS\KB\etc\"

So now, your C:\Program Files\Splunk\etc folder is actually a link to \\NAS\KB\etc, but the search head just sees it as a local folder (provided all the permissions are set properly to allow the search head to write to the shared storage).

Someone please correct me if this is incorrect. This was the best I could work out since the Splunk documentation always assumes the end-user already knows how to do everything non-Splunk related.

Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...