Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why do real time searches create many rt_scheduler_* directories, how can I control them

chris
Motivator
‎07-06-2014 11:41 PM

I have set up a single real time alert that creates about 1000 rt_scheduler__ entries in /var/run/splunk/dispatch/. Is there a possibility control the amount of directories that are created (is this related to the ttl of the search)?
Otherwise I will have to increase the dispatch_dir_warning_size in limits.conf which is not really a solution if I configure additional alerts.

[rtalert_nevis_err_requests_1min]
action.email = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
action.email.sendresults = 1
action.email.to = me@me.com
alert.digest_mode = False
alert.expires = 6h
alert.suppress = 1
alert.suppress.fields = host
alert.suppress.period = 30m
alert.track = 0
cron_schedule = * * * * *
dispatch.earliest_time = rt-1m
dispatch.latest_time = rt
displayview = flashtimeline
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_view = flashtimeline
search = sourcetype="proxy"   | stats sum(req) as req sum(req_4xx) as req_4xx sum(req_5xx) as req_5xx by host | eval error_rate=if(req==0,0,round((req_4xx+req_5xx)/req,3)) | where error_rate>0,5
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

chris
Motivator
‎07-11-2014 03:12 AM

I had to set the alert condition of the alerts to something different that "always". This prevents splunk from creating a directory every time the alert is run/triggered which is a lot for rt alerts.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

chris
Motivator
‎07-11-2014 03:12 AM

I had to set the alert condition of the alerts to something different that "always". This prevents splunk from creating a directory every time the alert is run/triggered which is a lot for rt alerts.

0 Karma
Reply
Solved! Jump to solution

sourabh_varshne
Explorer
‎07-07-2014 06:09 AM

Hi Chris,You dnt have option other than to manually delete the data from your dispatch directory if your alert creates 1000 entries . This is taken care by default from Splunk only.

0 Karma
Reply
Solved! Jump to solution

chris
Motivator
‎07-11-2014 03:09 AM

Thank you for taking time to reply, manually deleting the directories does not solve the problem

0 Karma
Reply
Solved! Jump to solution

sourabh_varshne
Explorer
‎07-07-2014 06:08 AM

Hi Chris,

You dnt have option other than to manually delete the data from your dispatch directory if your alert creates 1000 entries . This is taken care by default from Splunk only.

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...