Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why do I keep getting warning messages of 5GB even though dispatch is less than 1GB?

kamal_jagga
Contributor
‎01-30-2019 11:39 AM

Hello,

I keep getting warning messages that my dispatch directory is full (5GB) even though the dispatch dir size is less than 1 GB. And also, my queries stop running, hence I have to clean up the dispatch dir to make Splunk run again.

Kindly advise.

0 Karma
Reply

woodcock
Esteemed Legend
‎02-01-2019 01:34 PM

It is not how big the volume is, it is how much free space is left. Try this command:

df /opt/splunk/var/run/splunk/dispatch/

It will show you how big the hosting volume is, how much space is used and how much is available. The Available will be > 500M if you are getting that warning/symptoms (unless you have changed the default).

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎01-30-2019 05:25 PM

Ah of course you are right @richgalloway ! The limit can be changed here in limits.conf if you cant make more space available dispatch_dir_warning_size = <int> https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Limitsconf

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-30-2019 03:49 PM

The 5GB warning is not about size, it's about free space. It's possible for the dispatch directory to be completely empty and still get this warning because the disk doesn't have at least 5GB available.

The fix is to free up files elsewhere on the disk, not just the dispatch directory.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎01-30-2019 12:25 PM

Hi @kamal_jagga

Interesting problem

  • is is possible that a large schedule job is filling the dispatch directory but then it fails so it clears the dispatch directory before you can see its true size?
  • Is it possible that the dispatch being filled is different to the server you assume it is? Maybe post the exact error message?

Good luck with your hunt

0 Karma
Reply

kamal_jagga
Contributor
‎02-01-2019 12:08 PM

Thanks for the reply. I had already checked for these things but wasn't of any help.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...