I'm seeing lots of dispatch directory threshold errors.
Is there an easy way to see what searches or reports are driving those values?
Having a lot of jobs artifacts in the dispatch folder, is directly proportional to the number of search jobs, and the time to live of the search artifact (dispatch.ttl)
Knowing that you can look at your dispatch folder and figure what constitutes the mass of job artifacts.
https://docs.splunk.com/Documentation/Splunk/latest/Search/Dispatchdirectoryandsearchartifacts
Options to reduce the TTL are :
For searches
- edit the dispatch.ttl in savedsearch.conf. For a particular search, or in the generic settings.
- do the same on a per search basis using the UI > searches&reports > advanced edit
for alerts
- reduce the ttl in alert_actions.conf
- or reduce the number of unnecessary alerts.
what is the error that you are getting?
you can click on activity (top right drop down) and pick "Jobs" filter by status
I get an error that says "Dispatch COmmand: The number of search artifacts in the dispatch directory is higher than recommended...."
I am just trying to figure out the best way to determine what is driving the large number of artifacts specifically. (Since we are running ITSI, I'm wondering what part of that, if any is contributing to the issue).