Knowledge Management

What is the use for these bundle directories?

ctaf
Contributor

Hello,

I am working with a full distributed architecture: Deployement server, multi-site index cluster, search head cluster, ...
I am having some troubles understanding what are the use of each bundle residing in different Splunk directories.

Can you help me understanding the use of these folders ?

  • $SPLUNK_HOME/var/run/searchpeers/ ===> Knowledge bundle distributed by Search Head (captain?)
  • $SPLUNK_HOME/var/run/splunk/ ===> Configuration bundle? If so, why aren't they removed after being extracted?
  • $SPLUNK_HOME/var/run/splunk/cluster/remote-bundle/ ===> ???
  • $SPLUNK_HOME/var/run/splunk/deploy/ ===> ???
  • $SPLUNK_HOME/var/run/splunk/dispatch/ ===> Job on the search head

Thank you 🙂

0 Karma
1 Solution

jwelch_splunk
Splunk Employee
Splunk Employee

If memory serves me right...

../searchpeers Contains search bundles from remote splunk systems that are searching against this peer.
../splunk is where we generate our bundles on the SH that are going to be sent to the remote peers
../cluster/remote-bundle is where a Cluster Master sticks the configuration bundles on the indexers
../deploy Contains Deployer and Deployment Server bundles that are going to be pushed to remote hosts
../dispatch Contains all the information about Searches that are running on the SH/IDX. This would be filled with data on both the SH and the Indexers

View solution in original post

jwelch_splunk
Splunk Employee
Splunk Employee

If memory serves me right...

../searchpeers Contains search bundles from remote splunk systems that are searching against this peer.
../splunk is where we generate our bundles on the SH that are going to be sent to the remote peers
../cluster/remote-bundle is where a Cluster Master sticks the configuration bundles on the indexers
../deploy Contains Deployer and Deployment Server bundles that are going to be pushed to remote hosts
../dispatch Contains all the information about Searches that are running on the SH/IDX. This would be filled with data on both the SH and the Indexers

ctaf
Contributor

Thank you!

Could you explain why the bundle is not delete after being extracted and applied on the instance?

0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

Which bundle are you referring to here?

Most bundles are eventually reaped. We leave the Clustering Bundles there until a new one is recieved.

Search bundles (full) stay there and delta's are applied until a new full is required. We eventually reap these as well (at least we are supposed to)

Dispatch folders are also supposed to be reaped as well.

So if you have a specific issue tell me exactly what it is you are seeing and I will try and help

0 Karma

ctaf
Contributor

What do you mean by "reap" ?

I am just suprised that there are old bundles in my ./splunk folder, as they are no longer useful.

0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

Reap means to remove. On occasion one might get left behind. If that is the case delete it and move on. If however you end up with lots of items that are not reaping for some reason, I would suggest opening a support case.

0 Karma

ctaf
Contributor

Anyone, please? 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...