The dispatch directory contains information about outstanding searches as well the results from completed searches. Completed searches should be cleaned up automatically after 10 minutes (default setting), but can be as long as 7 days if the results are shared by the user who ran the search. Deleting files from the dispatch directory has no affect on your data - that's always safe in your indexes. A deleted artifact could cause a dashboard to fail, however, if it tries to use the results of a saved search that are no longer there.
... View more
Hi! Splunk instance can be configured as standalone deployment or as part of the clustered component. Standalone deployment basically inherits all of the components into a single instance where you can index incoming data and search them while acting as License Master and monitoring console. There is a possibility that your particular instance might be either standalone or part of indexer because normally other Splunk components are less likely to get alerts on free space. I probably begin by checking your host's disk utilization and check $SPLUNK_HOME/etc/system/local/server.conf to get any hint of this deployment. If you have [clustering] stanza defined inside your server.conf file, high chance that there may be other Splunk components residing in your environment. https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Serverconf You can also use Splunk cmd btool to check configuration which should help you find out the topology of the deployment. https://docs.splunk.com/Documentation/Splunk/8.1.1/Troubleshooting/Usebtooltotroubleshootconfigurations
... View more