Hello. I seem to be having a couple of problems with Splunk on Splunk 3.0. First, my setup:
- Indexer with Splunk 5.0.3 and SOS TA 2.0.4
- Splunk search head (5.0.3) configured with search head pooling (although we're currently on only 1 search head) and SOS 3.0
My first problem is that I keep getting these warnings in the UI on the search head that there are too many files in the dispatch directory. I shutdown Splunk yesterday, cleared it out completely and started it up again. As of a few minutes ago there are over 33K directories in my dispatch dir with "sos" in the name. Seems to be mix of names like
scheduler__nobody__sos__RMD5fe2b0603bfc33e11_at_1370430188_7004
subsearch_scheduler__nobody__sos__RMD5fe2b0603bfc33e11_at_1370446101_9051_1370446103.1
The warning I get in the UI coming every few minutes is:
Too many search jobs found in the dispatch directory (found=2689, warning level=2000). This could negatively impact Splunk's performance, consider removing some of the old search jobs.
Too many search jobs found in the dispatch directory (found=2690, warning level=2000). This could negatively impact Splunk's performance, consider removing some of the old search jobs.
Too many search jobs found in the dispatch directory (found=2688, warning level=2000). This could negatively impact Splunk's performance, consider removing some of the old search jobs.
Second problem is that while SOS seems to work, I find that on the default page of the app (seems to be the one labeled "Home - FTR"), it shows me a blank page and then continually refreshes it rapidly. I see this with recent versions of Chrome and Firefox. The other pages in SOS seems to work fine, however.
I've poked around and I haven't noticed anything in the logs that seems to indicate any issue with SOS, but I wouldn't be at all surprised if I missed something.
Thanks