Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What does this splunkd.log event mean? 07-19-2013 04:19:02.641 -0400 INFO Archiver - Archiving large_file=/opt/splunk/etc/apps/MAXMIND.new/bin/city.dat of size_in_bytes=54745499 (exceeding concerning_threshold=52428800)

mctester
Communicator
‎08-13-2013 12:16 PM

I'm seeing a repeated pattern of events in splunkd.log, relating to several .dat files in the MAXMIND app. What is the event trying to tell me?

07-19-2013 04:16:57.956 -0400 INFO  Archiver - Archiving large_file=/opt/splunk/etc/apps/MAXMIND.new/bin/org.dat of size_in_bytes=125619791 (exceeding concerning_threshold=52428800)
07-19-2013 04:16:58.168 -0400 INFO  Archiver - Archiving large_file=/opt/splunk/etc/apps/MAXMIND.new/bin/city.dat of size_in_bytes=54745499 (exceeding concerning_threshold=52428800)
07-19-2013 04:18:00.186 -0400 INFO  Archiver - Archiving large_file=/opt/splunk/etc/apps/MAXMIND.new/bin/org.dat of size_in_bytes=125619791 (exceeding concerning_threshold=52428800)
07-19-2013 04:18:00.399 -0400 INFO  Archiver - Archiving large_file=/opt/splunk/etc/apps/MAXMIND.new/bin/city.dat of size_in_bytes=54745499 (exceeding concerning_threshold=52428800)
07-19-2013 04:19:02.420 -0400 INFO  Archiver - Archiving large_file=/opt/splunk/etc/apps/MAXMIND.new/bin/org.dat of size_in_bytes=125619791 (exceeding concerning_threshold=52428800)
07-19-2013 04:19:02.641 -0400 INFO  Archiver - Archiving large_file=/opt/splunk/etc/apps/MAXMIND.new/bin/city.dat of size_in_bytes=54745499 (exceeding concerning_threshold=52428800)

I see it so often in the logs that I'm concerned that I have a problem, but there's nothing in the message to confirm a) that there actually IS a problem, and b) what to do about it

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Mick
Splunk Employee
Splunk Employee
‎08-13-2013 12:26 PM

This event happens in the context of distributed search. It is coming from bundle replication, which is attempting to tar up all of your app files to push the search bundle to your indexers. In order to make this manageable, Splunk has a default limit of 50MB, which can be tuned with the following setting in distsearch.conf, in the [replicationSettings] stanza -

concerningReplicatedFileSize =
* Any individual file within a bundle that is larger than this value (in MB) will trigger a splunkd.log message.
* Where possible, avoid replicating such files, e.g. by customizing your blacklists.
* Defaults to: 50

However, the better solution here would be to simply blacklist these, and any other large files that are not necessary for searching on the indexers. Read the information here about controlling the size of your replicated bundles - http://docs.splunk.com/Documentation/Splunk/5.0.4/Deploy/Configuredistributedsearch#Limit_the_knowle...

And then for any changes you want to make to white & blacklist settings, you can edit the distsearch.conf file - http://docs.splunk.com/Documentation/Splunk/5.0.4/admin/Distsearchconf

View solution in original post

Reply
Solved! Jump to solution
Solution

Mick
Splunk Employee
Splunk Employee
‎08-13-2013 12:26 PM

This event happens in the context of distributed search. It is coming from bundle replication, which is attempting to tar up all of your app files to push the search bundle to your indexers. In order to make this manageable, Splunk has a default limit of 50MB, which can be tuned with the following setting in distsearch.conf, in the [replicationSettings] stanza -

concerningReplicatedFileSize =
* Any individual file within a bundle that is larger than this value (in MB) will trigger a splunkd.log message.
* Where possible, avoid replicating such files, e.g. by customizing your blacklists.
* Defaults to: 50

However, the better solution here would be to simply blacklist these, and any other large files that are not necessary for searching on the indexers. Read the information here about controlling the size of your replicated bundles - http://docs.splunk.com/Documentation/Splunk/5.0.4/Deploy/Configuredistributedsearch#Limit_the_knowle...

And then for any changes you want to make to white & blacklist settings, you can edit the distsearch.conf file - http://docs.splunk.com/Documentation/Splunk/5.0.4/admin/Distsearchconf

Reply
Solved! Jump to solution

bpaul_splunk
Splunk Employee
Splunk Employee
‎08-22-2018 11:41 AM

This 50 MB threshold is in older versions of Splunk. Starting with Splunk 6.6.0, the threshold value has been increased to 500 MB.

concerningReplicatedFileSize =
* Any individual file within a bundle that is larger than this value (in MB)
will trigger a splunkd.log message.
* Where possible, avoid replicating such files, e.g. by customizing your blacklists.
* Defaults to: 500

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎08-13-2013 03:18 PM

To clarify, it's not really a limit that changes behavior, it's just a point at which we complain.

Splunk thinks that you don't want to be search-replicating 50MB files because it will be slow and cause some ram to be used pointlessly. These warnings are just to tell you that you have giant files that you probably want to handle some other way, as mick says, or with mounted bundles.

We also partially work around this in 5.0 and later by trying not to send files that have not changed.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...