.CONF & SPLUNKLIVE!

A quick tour of a dispatch directory

Splunk By Splunk September 10, 2012

Each search has artifacts that need to be saved on disk

This happens in $SPLUNK_HOME/var/run/splunk/dispatch. There is one directory for each search and it is deleted after the search expires.

Here’s the dispatch directory from a simple search from the UI. The name is the search id, for an ad-hoc search it is the epoch time of the search. (More on the relationship between sids and search names in another post.)

# pwd
/Applications/splunk/var/run/splunk/dispatch
# ls  1346978195.13/
args.txt	 generate_preview  request.csv  status.csv  audited  info.csv  results.csv.gz  timeline.csv  buckets  metadata.csv  runtime.csv  events  peers.csv  search.log

  • args.txt – the arguments passed to the search process
  • generate_preview – a flag to indicate this search has requested preview (mainly for UI searches)
  • request.csv – list of search parameters from the request, including fields and the text of the search
  • status.csv – the current status of the search (such as if it is still running)
  • audited – a flag to indicate the events have been audit signed
  • info.csv – list of search details, including earliest and latest time and results count
  • results.csv.gz – archive containing the search results
  • timeline.csv – event count per timeline bucket
  • buckets – per-bucket field picker statistics
  • metadata.csv – owner and roles
  • runtime.csv – pause/cancel settings
  • events – the events used to generate the results
  • peers.csv – the search peers involved
  • search.log – log from the search process

Here are some common things to look for in the search.log:

The command to invoke the search process

09-06-2012 17:36:35.209 INFO  loader - Arguments are: "splunkd" "search" "--id=1346978195.13" "--maxbuckets=300" "--ttl=600" "--maxout=10000" "--maxtime=8640000" "--lookups=1" "--reduce_freq=10" "--required_fields=*" "--user=admin" "--pro" "--roles=admin:power:user"

The search as given to splunkd

09-06-2012 17:36:35.339 INFO  SearchParser - PARSING: litsearch host="10.10.67.125" | fields  keepcolorder=t "*" "host" "index" "linecount" "source" "sourcetype" "splunk_server"

The indexes to be searched

09-06-2012 17:36:35.370 INFO  IndexScopedSearch - LISPY for index=main is lispy='[ AND host::10.10.67.125 ]' ct=2147483647 et=0 lt=2147483647 dbsize=9
09-06-2012 17:36:35.370 INFO  IndexScopedSearch - LISPY for index=os is lispy='[ AND host::10.10.67.125 ]' ct=2147483647 et=0 lt=2147483647 dbsize=4

Roles used

09-06-2012 17:36:35.222 INFO  UserManagerPro - Load authentication: forcing roles="admin, power, user"

Splunk
Posted by

Splunk