Getting Data In

forwarding too slow

crazyeva
Contributor

i let universalforwarder distribute raw data, when doing unzip work;
indexer doing sedcmd-filter, transfrom-filter work
But indexing process very slow 500events/persecond
cpu, diskio, network all at low utility
i dont know what is wrong
Can i just:
# cp /opt/splunkforwarder /opt/splunkforwarder01
# /opt/splunkforwarder01/bin/./splunk start
#
# cp /opt/splunkforwarder /opt/splunkforwarder02
# /opt/splunkforwarder02/bin/./splunk start
.....
?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

I don't see any benefit in running several copies of the same forwarder on one machine.

As for forwarding speed, make sure you aren't hitting the configurable speed limiter, I believe the default is 256KB/s - if your events are 500byte on average then 500eps is about 256KB/s.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

I don't see any benefit in running several copies of the same forwarder on one machine.

As for forwarding speed, make sure you aren't hitting the configurable speed limiter, I believe the default is 256KB/s - if your events are 500byte on average then 500eps is about 256KB/s.

crazyeva
Contributor

You are quite right! maxKBps was set to 256!
Its the first time I use universalforwarder.
Thank you very much!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...