Can I safely remove old cluster remote-bundle dire...

datajock · ‎11-02-2015

I am using up a lot of disk space under ${SPLUNK_HOME}/var/run/splunk/cluster/remote-bundle on our Cluster Manager/Master and noticed that it seems like all of the Remote Bundles ever created are still taking up space in this directory.

I would like to know if I can safely remove the older directories or if there is a command I should use for doing this. Also, is there a setting for telling Splunk to only keep a certain number of previous bundles?

datajock · ‎11-13-2015

I ended up opening a ticket with Splunk and they let me know that this is a known issue and is scheduled to be fixed in a future release. Until then, they suggest that you be very careful removing any of these and make sure you do not remove the current one in use and keep something like 5 to 10 older ones. Otherwise, it is safe to remove the old ones.

vsingla1 · ‎12-21-2015

I am also facing the same issue in Splunk 6.2.3. Which version are you running?

datajock · ‎12-21-2015

I am running 6.2.4

robert_miller · ‎04-06-2016

We are now running into this issue and we are using 6.3.3.

USPSSplunkSuppo · ‎05-10-2016

Still present in 6.4 !

cmeerbeek · ‎03-29-2017

Large bundles is not a Splunk issue but usaully an issue with large lookups which should not be pushed to the indexers.
Try to blacklist lookups so they won't get pushed to the indexers.

Can I safely remove old cluster remote-bundle directories to free up disk space?

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector