Splunk Search

Search Heads complain about " Archiver - Archiving large_file". Should I have mounted bundles in search head clustering or not?

ckurtz
Path Finder

Just moved to a new 6.2.2 Search Head Cluster (SHC) from a Search Head Pool (SHP) which had mounted bundles enabled. I have not enabled mounted bundles in the SHC. I am running an Indexer Cluster (10 slaves.)

I have several large (100-200+mb) lookup files that update multiple times per day. The new SHC are constantly complaining in splunkd.log (names changed to protect the guilty):

03-20-2015 11:06:14.343 -0700 INFO  Archiver - Archiving large_file=/opt/splunk/etc/apps/APPNAME/lookups/LARGELOOKUP.csv of size_in_bytes=67709135 (exceeding concerning_threshold=52428800)

According to my Google Fu, this is simply informing me that the lookup is larger than the max 50mb individual file size in a knowledge bundle. (Interestingly the distsearch.conf doc calls this setting "concerningReplicatedFileSize" but the INFO line clearly says concerning_threshold.)

According to Splunk Docs "the practical use case for mounted bundles is now extremely limited" (http://docs.splunk.com/Documentation/Splunk/6.2.2/DistSearch/Mounttheknowledgebundle)

Is it worth using mounted bundles, or is this a feature that's destined for removal?

0 Karma

Steve_G_
Splunk Employee
Splunk Employee

This is expected behavior, which is why the message is only at the INFO level. If the lookup file is actually changing, it's expected for this file to be tarred up and sent over the network every so often. If you are finding this message bothersome, you can bump the logger level for this channel to WARN.

If you're not having any associated problems with network congestion or response speed, you can just ignore the message.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...