Splunk Search

Search Heads complain about " Archiver - Archiving large_file". Should I have mounted bundles in search head clustering or not?

ckurtz
Path Finder

Just moved to a new 6.2.2 Search Head Cluster (SHC) from a Search Head Pool (SHP) which had mounted bundles enabled. I have not enabled mounted bundles in the SHC. I am running an Indexer Cluster (10 slaves.)

I have several large (100-200+mb) lookup files that update multiple times per day. The new SHC are constantly complaining in splunkd.log (names changed to protect the guilty):

03-20-2015 11:06:14.343 -0700 INFO  Archiver - Archiving large_file=/opt/splunk/etc/apps/APPNAME/lookups/LARGELOOKUP.csv of size_in_bytes=67709135 (exceeding concerning_threshold=52428800)

According to my Google Fu, this is simply informing me that the lookup is larger than the max 50mb individual file size in a knowledge bundle. (Interestingly the distsearch.conf doc calls this setting "concerningReplicatedFileSize" but the INFO line clearly says concerning_threshold.)

According to Splunk Docs "the practical use case for mounted bundles is now extremely limited" (http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/Mounttheknowledgebundle)

Is it worth using mounted bundles, or is this a feature that's destined for removal?

0 Karma

Steve_G_
Splunk Employee
Splunk Employee

This is expected behavior, which is why the message is only at the INFO level. If the lookup file is actually changing, it's expected for this file to be tarred up and sent over the network every so often. If you are finding this message bothersome, you can bump the logger level for this channel to WARN.

If you're not having any associated problems with network congestion or response speed, you can just ignore the message.

0 Karma
Get Updates on the Splunk Community!

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...