@ankitarath2011 , the issue discussed in this post occurs in Splunk 9.0.0 and 9.0.1. It does not occur in 8.x versions nor in versions from 9.0.2 onward.

How is your environment currently configured? See https://docs.splunk.com/Documentation/Splunk/8.2.3/DistSearch/PropagateSHCconfigurationchanges. 

What deployer push mode are you using, and where are you setting this value in app.conf? Within an app on the search heads, or in $SPLUNK_HOME/etc/system/local/app.conf on the Deployer?

Hi @trashyroadz  
Our push mode is merge_to_default.  All configurations are in $SPLUNK_HOME/etc/system/local/app.conf  in the Deployer. 

In the search page, getting error as "ReplicationStatus: Failed-Failure info: failed_because_BUNDLE_SIZE_RETRIEVAL_FAILURE"

In the message box got message saying bundle size exceeds limit. On checking, could see all apps in $SPLUNK_HOME/var/run/splunk/deploy even if we had changed a single file.

Please help on this.
Also want to know if any document is there to know the impact of increasing the maxBundleSize on system resources and performance (Splunk/System). If we are increasing, then how much infra needs to be increased in case it is needed.

@ankitarath2011 ,

Apologies for the delay, as I have been out of the office.

The issue you are reporting is very different than what is discussed on the current post, and needs a new thread. Could you rephrase your full question in a new post, and tag me in it? I tried to start a new one for you that we could continue on but I'm not certain the full context of your issue and question.

Regarding increasing maxBundleSize, it is normally a better practice to manage bundle sizes using the [replicationWhitelist] or [replicationBlacklist] stanzas in distsearch.conf.  Raising bundle size limits or raising bundle replication timeouts can cause bundles to take longer to reach your indexers. By default, Search Heads use knowledge bundles to send nearly the entire contents of all of their apps to the indexers. If an app contains large binaries that do not need to be shared with the indexers, reduce the size of the bundle by whitelisting or blacklisting particular files or types of files.

The short term solution we went with was to update the deployer_lookups_push_mode to not update the lookups as part of the push. Then, any time we needed to update the lookups, we leveraged the lookup editor app's API endpoint to make our updates (/services/data/lookup_edit/lookup_contents) as part of our ci/cd pipeline which we use to push updates to the cluster. There are example scripts posted online you should be able to find pretty easily in order to do this.

It's not the most elegant solution, but it's getting us through until we can upgrade 🙂

Hi @obpedro 
Thank you for your response. However, we are using preserve lookup while executing the apply bundle command.  So, in that case will change in deployer_lookups_push_mode help fix it? Is it not same as using -preserve-lookup true in the apply bundle command?

Also want to know what value you have for deployer_lookups_push_mode?

Actually, the correction was made to 9.0.2. See my comment above... which also provides a workaround for those running 9.0.0 or 9.0.1.

Hi,

There was a fix to this in version 9.0.1 so upgrade to that version or higher to get rid of this problem.

Have a nice day!