I recently enabled searchhead pooling and mounted knowledge bundles using an NFS store mounted to /mnt/shp/ on each of my splunk servers. the {users,apps,system} directories are on /mnt/shp/etc/{users,apps,system}. i've noticed the searchheads have started writing to some "var" directories: /mnt/shp/var/run/splunk/{dispatch,lookup_tmp, rss, scheduler, srtemp}. I don't remember seeing this anywhere in the documentation. is it expected? what is it for? do the search peers (indexers) uses these directories with regards to mounted knowledge bundles?
... View more