Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why do real time searches create many rt_scheduler_* directories, how can I control them

chris
Motivator
‎07-06-2014 11:41 PM

I have set up a single real time alert that creates about 1000 rt_scheduler__ entries in /var/run/splunk/dispatch/. Is there a possibility control the amount of directories that are created (is this related to the ttl of the search)?
Otherwise I will have to increase the dispatch_dir_warning_size in limits.conf which is not really a solution if I configure additional alerts.

[rtalert_nevis_err_requests_1min]
action.email = 1
action.email.inline = 1
action.email.reportServerEnabled = 0
action.email.sendresults = 1
action.email.to = me@me.com
alert.digest_mode = False
alert.expires = 6h
alert.suppress = 1
alert.suppress.fields = host
alert.suppress.period = 30m
alert.track = 0
cron_schedule = * * * * *
dispatch.earliest_time = rt-1m
dispatch.latest_time = rt
displayview = flashtimeline
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_view = flashtimeline
search = sourcetype="proxy"   | stats sum(req) as req sum(req_4xx) as req_4xx sum(req_5xx) as req_5xx by host | eval error_rate=if(req==0,0,round((req_4xx+req_5xx)/req,3)) | where error_rate>0,5
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

chris
Motivator
‎07-11-2014 03:12 AM

I had to set the alert condition of the alerts to something different that "always". This prevents splunk from creating a directory every time the alert is run/triggered which is a lot for rt alerts.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

chris
Motivator
‎07-11-2014 03:12 AM

I had to set the alert condition of the alerts to something different that "always". This prevents splunk from creating a directory every time the alert is run/triggered which is a lot for rt alerts.

0 Karma
Reply
Solved! Jump to solution

sourabh_varshne
Explorer
‎07-07-2014 06:09 AM

Hi Chris,You dnt have option other than to manually delete the data from your dispatch directory if your alert creates 1000 entries . This is taken care by default from Splunk only.

0 Karma
Reply
Solved! Jump to solution

chris
Motivator
‎07-11-2014 03:09 AM

Thank you for taking time to reply, manually deleting the directories does not solve the problem

0 Karma
Reply
Solved! Jump to solution

sourabh_varshne
Explorer
‎07-07-2014 06:08 AM

Hi Chris,

You dnt have option other than to manually delete the data from your dispatch directory if your alert creates 1000 entries . This is taken care by default from Splunk only.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...