Solved: Re: forwarding too slow

crazyeva · ‎12-24-2013

i let universalforwarder distribute raw data, when doing unzip work;
indexer doing sedcmd-filter, transfrom-filter work
But indexing process very slow 500events/persecond
cpu, diskio, network all at low utility
i dont know what is wrong
Can i just:
# cp /opt/splunkforwarder /opt/splunkforwarder01
# /opt/splunkforwarder01/bin/./splunk start
#
# cp /opt/splunkforwarder /opt/splunkforwarder02
# /opt/splunkforwarder02/bin/./splunk start
.....
?

martin_mueller · ‎12-25-2013

I don't see any benefit in running several copies of the same forwarder on one machine.

As for forwarding speed, make sure you aren't hitting the configurable speed limiter, I believe the default is 256KB/s - if your events are 500byte on average then 500eps is about 256KB/s.

View solution in original post

martin_mueller · ‎12-25-2013

I don't see any benefit in running several copies of the same forwarder on one machine.

As for forwarding speed, make sure you aren't hitting the configurable speed limiter, I believe the default is 256KB/s - if your events are 500byte on average then 500eps is about 256KB/s.

crazyeva · ‎12-25-2013

You are quite right! maxKBps was set to 256!
Its the first time I use universalforwarder.
Thank you very much!

forwarding too slow

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?