Splunk Search

Search Heads complain about " Archiver - Archiving large_file". Should I have mounted bundles in search head clustering or not?

Path Finder

Just moved to a new 6.2.2 Search Head Cluster (SHC) from a Search Head Pool (SHP) which had mounted bundles enabled. I have not enabled mounted bundles in the SHC. I am running an Indexer Cluster (10 slaves.)

I have several large (100-200+mb) lookup files that update multiple times per day. The new SHC are constantly complaining in splunkd.log (names changed to protect the guilty):

03-20-2015 11:06:14.343 -0700 INFO  Archiver - Archiving large_file=/opt/splunk/etc/apps/APPNAME/lookups/LARGELOOKUP.csv of size_in_bytes=67709135 (exceeding concerning_threshold=52428800)

According to my Google Fu, this is simply informing me that the lookup is larger than the max 50mb individual file size in a knowledge bundle. (Interestingly the distsearch.conf doc calls this setting "concerningReplicatedFileSize" but the INFO line clearly says concerning_threshold.)

According to Splunk Docs "the practical use case for mounted bundles is now extremely limited" (http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/Mounttheknowledgebundle)

Is it worth using mounted bundles, or is this a feature that's destined for removal?

0 Karma

Splunk Employee
Splunk Employee

This is expected behavior, which is why the message is only at the INFO level. If the lookup file is actually changing, it's expected for this file to be tarred up and sent over the network every so often. If you are finding this message bothersome, you can bump the logger level for this channel to WARN.

If you're not having any associated problems with network congestion or response speed, you can just ignore the message.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...