DO NOT install Splunk to the default windows File Path i.e. C:\Program Files\Splunk . You'll find that Splunk can't create certain temp files (hashed search temp directories and files to be specific) due to the fact that the file path violates the Windows 260 character file path limitation. What'll end up happening is that Splunk will sucking up all the RAM available until SplunkD finally completely crashes, since it has nowhere to store stuff temporarily.
Amazingly, the longest file path I've ever seen Splunk try to create unsuccessfully is 264 characters. Really? 4 Characters? Although I suppose that it could be longer or shorter depending on the name of the Search head referenced in the path. You Splunk coder guys couldn't have found somewhere to shorten up this file path or restrict it to less than the maximum number of characters allowed by the OS?
For example:
*C:\Program Files\Splunk\var\run\splunk\dispatch\remote_SearchHeadName_scheduler__admin_c3BsdW5rX2FwcF93aW5kb3dzX2luZnJhc3RydWN0dXJl__RMD5e93ff07c552f3ee0_at_1477516800_3187_F5AAE4E2-7A34-4327-8CDA-83913FB48502\index_buckets.csv.647C07D6-2813-4D98-AD2E-ED1FCACEB554.tmp*
I mean, you've already got multiple Hashes going on here, can't you just remove the index_buckets.csv. part and save like 17 characters?
Just goes back to the whole issue of Windows Installs being treated like the second class installs.
Yes, supposedly this restriction is removable in Windows 10, and hopefully that means the same is true for Server 2016, but I haven't found any documentation to definitively state that one way or another.
Also given that there's a requirement to enable it via either registry key , or Group Policy , and that there are other caveats, I don't fully trust Windows to support this functionality, nor Splunk's ability to access it reliably.
Trust me, you're better off avoiding the whole issue entirely, and just installing to C:\Splunk or D:\Splunk or whatever drive letter you'd prefer. Better yet, Go NIX.
... View more