For each ad-hoc search/report/alert you run, a search artifact gets created. The artifacts are stored in directories under the dispatch directory. Do keep in mind for every search job, there is one separate directory. Now every search result expires and with that the search-specific artifact directory also gets deleted.
If you are facing an issue, that your dispatch directory is more than full then you can resolve it manually or by backend also. Let’s say you are getting message error like this :-
“Search peer mainsplunk09 has the following message: Dispatch Command: The number of search artifacts in the dispatch directory is higher than recommended (count=5485, warning threshold=5000) and could have an impact on search performance. Remove excess search artifacts using the “splunk clean-dispatch” CLI command, and review artifact retention policies in limits.conf and savedsearches.conf. You can also raise this warning threshold in limits.conf / dispatch_dir_warning_size. ”
Possible solution is to reduce the “Excess Artifacts in Dispatch “, with config changes in .conf files:
1. Savedsearches.conf (alert.expires) – GUI/Backend
2. limits.conf- Backend
1. Changes in alert.expire
• Steps at front-end User Interface (UI) :
- Select Settings > Searches,reports and alerts
- Click on Advance Edit
- Search for alert.expires(change the value of alert.expires)
- Save it
The default size of threshold is 5000 , we can change the threshold size by changing a limits.conf. But it is not advisable to do that, because it may result into consuming more resource.