currently half of my searchheads are shutdown (auto shutdown due to issues within Splunk) and the remaining are not able to query the indexers
The problem is caused by a large knowledge bundle.
when i checked the .bundle files on the SHs, it is a huge (~340 MB) file with what looks like a huge python code.
i have maxBundleSize set to less than 2048(which is the default)
i have a blacklist in distsearch.conf which is as below:
[replicationBlacklist]
= (.../bin/*) = (.../install/*) = (.../appserver/*) = (.../default/data/ui/*) = (.../default.old.*)
My questions is: is there any way to check what files/apps are included in this bundle that is causing issues and if those items are required or can be excluded.
↧