This happens when the search-head is pushing a search bundle that is too large to the indexers. The default bundle max size (maxBundleSize) is 1GB and the default http packet size (max_content_length) accepted by splunkd is 800MB 😞 Therefore : when 1024MB> bundle >800MB see an http error from the indexers. "failed_because_BUNDLE_DATA_TRANSMIT_FAILURE" or "ERROR DistributedBundleReplicationManager - got non-200 response from peer" when the bundle is >1024MB we see a different error, from the search-head. Workarounds : RECOMMENDED :reduce the bundle size (trim your lookups, use blacklists in distsearch.conf) LESS RECOMMENDED : allow larger bundles example : to bump the bundle size to 2GB max on Indexers , edit server.conf (push from cluster master etc/master-apps in a cluster) [httpServer] max_content_length = 2147483648 # in bytes => 2GBdistsearch.conf on Search-head [replicationSettings] maxBundleSize= 2097152 # in MB => 2GB ... View more

As per http://docs.splunk.com/Documentation/Splunk/6.0.2/RESTAPI/RESTaccess#POST_authentication.2Fusers.2F.7Bname.7D you will need to specify the entire value for the field roles , in your example like this: ./splunk _internal call /services/authentication/users/prem -post:roles "admin" -post:roles "some_role" -post:roles "another_role" -post:roles "new_role" You're passing a new value for roles , so if the value you pass only has one entry in it then you will drop the old values. Else there would be no way to remove a role from a user. ... View more

I don´t think so, take a look at this table: http://docs.splunk.com/Documentation/Splunk/latest/Installation/Systemrequirements#Supported_OSes Regards ... View more