Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

UF is not flavour for monitoring over 10k of files?

philip_w
Explorer
‎09-05-2018 07:56 PM

Hi,

I guess I'm not alone for this issue.
Any of you encountered high CPU using when UF is monitoring like over 10k of files?
In fact each file is very small. But they're required to be collected.
As I know UF would have a full list of files in memory, seems traversing the file list would spend a lot of CPU time.
This is still the same if we specified ignoreOlderThan.
And I can't reorganize customer's files

Now I'm considering to write a scheduled script to add file by file through the script, e.g. using "add oneshot".
But that's pain to keep track whether files have been captured or not.

Kindly want to listen if any other smarter suggestions.

THANKS!!

0 Karma
Reply

ddrillic
Ultra Champion
‎09-06-2018 07:35 AM

@philip_w - keep in mind that when the forwarder comes up, it has to build this list which is costly. The moment the original scan is over, the forwarder should be stable and consume less cpu. So, I suggest that in your testing, allow time to reach the stabilized period...

0 Karma
Reply

philip_w
Explorer
‎09-06-2018 07:44 AM

Badly, it went up too high when it's kind of stabilized (1.8 core) which impacted customer's business or even consumed more resource than their business application.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-06-2018 04:54 AM

do you want to "monitor" over 10k files or just "upload" more than 10k files regularly/often ?!?!

these links can give you some more info..

https://answers.splunk.com/answers/559996/what-is-the-limit-of-number-of-files-a-universal-f.html

https://answers.splunk.com/answers/294295/is-there-a-limit-best-practice-to-how-many-data-in-1.html

https://www.splunk.com/blog/2011/11/21/whats-your-ulimit.html

0 Karma
Reply

philip_w
Explorer
‎09-06-2018 07:14 AM

I meant monitoring 10k. In fact, we just need to index once since all the files are XMLs, they won't update.
As said, I can't rotate or reorganize customer's files. They're there for other business reason.

From this post, it seems setting ulimit -n to unlimited may not be the best. Currently we use ulimited. Let me check if smaller number works.
https://www.splunk.com/blog/2011/11/21/whats-your-ulimit.html

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...