Splunk Search

Search Heads complain about " Archiver - Archiving large_file". Should I have mounted bundles in search head clustering or not?

ckurtz
Path Finder

Just moved to a new 6.2.2 Search Head Cluster (SHC) from a Search Head Pool (SHP) which had mounted bundles enabled. I have not enabled mounted bundles in the SHC. I am running an Indexer Cluster (10 slaves.)

I have several large (100-200+mb) lookup files that update multiple times per day. The new SHC are constantly complaining in splunkd.log (names changed to protect the guilty):

03-20-2015 11:06:14.343 -0700 INFO  Archiver - Archiving large_file=/opt/splunk/etc/apps/APPNAME/lookups/LARGELOOKUP.csv of size_in_bytes=67709135 (exceeding concerning_threshold=52428800)

According to my Google Fu, this is simply informing me that the lookup is larger than the max 50mb individual file size in a knowledge bundle. (Interestingly the distsearch.conf doc calls this setting "concerningReplicatedFileSize" but the INFO line clearly says concerning_threshold.)

According to Splunk Docs "the practical use case for mounted bundles is now extremely limited" (http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/Mounttheknowledgebundle)

Is it worth using mounted bundles, or is this a feature that's destined for removal?

0 Karma

Steve_G_
Splunk Employee
Splunk Employee

This is expected behavior, which is why the message is only at the INFO level. If the lookup file is actually changing, it's expected for this file to be tarred up and sent over the network every so often. If you are finding this message bothersome, you can bump the logger level for this channel to WARN.

If you're not having any associated problems with network congestion or response speed, you can just ignore the message.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...