Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Do you have any recommendations for Universal forwarder settings that would ease the resource usage for Universal Forwarders loaded on AWS micro servers?

jpt751
New Member
‎12-19-2014 10:32 AM

One of our user applications utilizes over 50% Micro Servers in AWS. The micros meet the minimum requirements for Splunk, but experienced high CPU usage once the Universal forwarders instances were added to them. These micros are being used to host static web pages. Do you have any recommendations for Universal forwarder settings that would ease the resource usage? Or do you have any suggestions for an alternate way to extract the logs from the micros?

0 Karma
Reply

lguinn2
Legend
‎08-19-2015 04:39 PM

Generally, the CPU usage of the the Universal Forwarder (UF) is pretty directly tied to the number of files being monitored. Quite often, the UF is pointed at a directory of log files - and a lot of the files are stale. You can often boost UF performance by writing a simple script (or using the logrotate command in Linux) to move stale files to an archive directory - or delete them.

One of the other issues with the AWS micro issues may be the network performance. I quit using micro instances as much as possible due to the low network performance. This also can have an effect on Splunk and the networking infrastructure in general. This was a problem in my particular case even though I did not have a high data volume. If you are not monitoring a lot of files, try setting up an instance with better network performance and see if the problem goes away.

I don't know the exact network performance specs for the various AWS instances, but I am pretty sure that micro instances don't provide the equivalent of a 1 GB NIC.

0 Karma
Reply

nkwong_splunk
Splunk Employee
Splunk Employee
‎08-19-2015 02:42 PM

Are you using t1.micro instances? If so, I'd recommended trying the newer t2.micro instances since it has better baseline performance, burstable performance, and they are cheaper.

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...