Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is the Splunk dispatch directory not getting cleaned up automatically, even after setting the dispatch.ttl in savedsearches.conf?

Plotkowski
Path Finder
‎11-23-2015 01:45 AM

We run into some issues in our Splunk environment.
We have a Splunk 6.3 indexer and search head. The dispatch directory on the search head is constantly growing and Splunk stops working after a few days. We then need to manually restart the search head.
After the restart, the dispatch directory is getting cleaned up automatically and only searches from the last 24h remain.
I already set the dispatch.ttl in savedsearches.conf to 86400. (1 day) But the artifacts in the directory remain for much longer until we restart the system.

We have about 10 scheduled searches with alarms which run every hour, so it is not that much.
Is there any way to fix the automatic clean-up of the directory or what is the best way to restart the search head automatically every night on a Windows system?

Reply

jkat54
SplunkTrust
SplunkTrust
‎01-01-2016 05:48 AM

Last time this happened to me there was another error causing the problem.

Please check index=_internal for any ERROR or WARN messages, and then fix all of them you can. In my case i had a datamodel that was deleted incorrectly and splunk was pounding the logs with "data model not found" errors. AND my issue completely disabled all scheduled searches, alerts, reports, and the sendemail command. After removing the saved search that referenced the missing data model, 10000 emails went out, performance increased, and the problems went away.

The issue was that Splunk was trying so hard to find the data model, it couldnt do anything else... all the maintenance tasks like emptying the old/obsolete search bundles were failing to execute because "splunk" was too busy.

0 Karma
Reply

jrubio1
New Member
‎01-14-2016 12:55 PM

ahhh I've seen some errors.. I'll look into cleaning that up and report back.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎01-14-2016 06:03 PM

I would be suspicious of anything that could hold up a scheduler... Missing searches, data models, infinite loop conditions, extremely long running searches, broken servers missing punctuation in conf files, etc. Good news is you have the best tool for finding needles in haystacks!

0 Karma
Reply

jrubio1
New Member
‎12-30-2015 12:31 PM

I'm having the same problem as well.. Will have to setup a .bat to clear out until solution is provided.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...