Solved: Is it safe to delete .bundle files ?

AaronMoorcroft · ‎06-27-2016

Hi Guys,

So for some reason, I seem to have a few gigs of .bundle files in ProgramFiles/Splunk/var/run/searchpeers

They are all from a few days ago and there are none from what I can see for today or yesterday which I guess indicates there may have been an issue a few days back that's now resolved?

So my question is, is it safe to delete the files and also the folders that seem to accompany them?

Thanks as always

ddrillic · ‎06-27-2016

It's safe. I see -

$ ls *.bundle 
apsrp2245-1464133286.bundle  apsrp2245-1464996094.bundle  apsrp2245-1466239379.bundle  apsrp2252-1428717453.bundle

Nice discussion at knowledge bundle

It says -
-- The searchpeers directory retains up to five replicated bundles from each search head sending requests. If you delete them, they will be created again for the next search that needs that set of configurations. So technically you could remove older ones ...

View solution in original post

ddrillic · ‎06-27-2016

It's safe. I see -

$ ls *.bundle 
apsrp2245-1464133286.bundle  apsrp2245-1464996094.bundle  apsrp2245-1466239379.bundle  apsrp2252-1428717453.bundle

Nice discussion at knowledge bundle

It says -
-- The searchpeers directory retains up to five replicated bundles from each search head sending requests. If you delete them, they will be created again for the next search that needs that set of configurations. So technically you could remove older ones ...

salem34 · ‎11-08-2017

Hi - Wondering wheter you should delete them on the indexers and on the search heads as well if you want to enforce a creation of a new bundle?

ryanoconnor · ‎06-27-2016

It's safe yes but if 5 bundles are 2GB that puts them around 400MB a piece which is quite large and worth investigating as the bundle could have issues replicating if it hasn't already. Splunk states that above 200MB is a large bundle
http://docs.splunk.com/Documentation/Splunk/6.4.1/Indexer/Configurationbundleissues

Potentially there are items that could be blacklisted from being distributed to search peers to help remedy the situation.

AaronMoorcroft · ‎06-27-2016

Cheers Guys,

Had it confirmed from our 3rd Party support team also, deleted the files did a quick restart of the service and all seems to be running smoothly again, not quite sure what caused it but with our network it could have been many things.

Thanks for the responses 🙂

Aaron

ryanoconnor · ‎06-27-2016

I would try to start by looking at these bundle files to see what is in them that is so large. Large bundles sometimes have issues replicating to search peers so it's best to keep them as minimal as possible.

This will also help you determine what was going on when they were so large to make sure it doesn't happen again.

Bundle files are simply tar files so you should be able to explore them with any application that can open tar files. In Windows that might be 7-zip or a few other applications that are out there.

AaronMoorcroft · ‎06-27-2016

Thank you 🙂

Is it safe to delete .bundle files ?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!