Deployment Architecture

How long should bundle tar files persist in the search head? Can the space used be limited?

mzorzi
Splunk Employee
Splunk Employee

The disk space use on our search head is going up significantly. I would seem that *.bundle files in $SPLUNK_HOME/var/run/ directory are being created but are never deleted. Some of them are almost 2 months old. At the moment they take more than 2.5 GB of space.

Why this files are not automatically cleared and is there any way to setup splunk to do it? If there is no configuration option is it safe to remove old file manually?

Tags (1)
1 Solution

jrodman
Splunk Employee
Splunk Employee

The replication bundles are currently not reaped at all, leading to the situation you see.

I have filed a bug to have this changed. Currently, yes deleting older versions of a given app should be safe. Deleting the newest may not produce good results.

Simpler fix:

splunk stop
rm var/run/*.bundle
splunk start

Incidentally, we've a fix checked in for a future release, probably 4.1.2.

View solution in original post

jrodman
Splunk Employee
Splunk Employee

The replication bundles are currently not reaped at all, leading to the situation you see.

I have filed a bug to have this changed. Currently, yes deleting older versions of a given app should be safe. Deleting the newest may not produce good results.

Simpler fix:

splunk stop
rm var/run/*.bundle
splunk start

Incidentally, we've a fix checked in for a future release, probably 4.1.2.

jrodman
Splunk Employee
Splunk Employee

The search head has to generate the distributed search bundles in order to have them transmitted to the distributed search nodes. It could do this in memory, but storing them on disk is a pretty reasonable 'cache' location for them -- it persists nicely.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

I guess a search head wouldn't have search bundles on it.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Is this deployment server bundles, or are these distributed search bundles? search bundles can be quite large, and include CSV lookup tables. In early 4.0 there was a bug where distributed search files were not getting cleaned up, but I have observed them being cleaned up in all recent versions.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...