Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to quickly index historical logs on a dedicated forwarder

tpsplunk
Communicator
‎07-15-2011 08:35 AM

I need to index several hundred gigs of historical logs. i have a machine that is dedicated for this purpose. i installed the universal forwarder and have used the [monitor] stanza in inputs.conf to start the indexing. it is working, but it seems REALLY slow. since this server is dedicated to this purpose is there any way i can force the forwarder to use more system resources to chug through the logs at a faster pace?

I'm also open to alternative solutions to this problem.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mikelanghorst
Motivator
‎07-15-2011 11:31 AM

There could be a few reasons as to the speed, disk IO on the forwarder, cpu, etc.

However the first thing I would look at is the limits.conf file. The universalForwarder has limits for how much data it can send at a time, this may be the cause of the perceived slowness.

http://www.splunk.com/base/Documentation/4.2.2/Admin/Limitsconf

[thruput]

maxKBps =
* If specified and not zero, this limits the speed through the thruput processor to the specified
rate in kilobytes per second.
* To control the CPU load while indexing, use this to throttle the number of events this indexer
processes to the rate (in KBps) you specify.

On a universal forwarder, this is set to 256 by default.

View solution in original post

Reply
Solved! Jump to solution
Solution

mikelanghorst
Motivator
‎07-15-2011 11:31 AM

There could be a few reasons as to the speed, disk IO on the forwarder, cpu, etc.

However the first thing I would look at is the limits.conf file. The universalForwarder has limits for how much data it can send at a time, this may be the cause of the perceived slowness.

http://www.splunk.com/base/Documentation/4.2.2/Admin/Limitsconf

[thruput]

maxKBps =
* If specified and not zero, this limits the speed through the thruput processor to the specified
rate in kilobytes per second.
* To control the CPU load while indexing, use this to throttle the number of events this indexer
processes to the rate (in KBps) you specify.

On a universal forwarder, this is set to 256 by default.

Reply
Solved! Jump to solution

tpsplunk
Communicator
‎09-13-2011 03:00 PM

you guys are both right- it was my thruput. as soon as i bumped it up i could process logs way faster

0 Karma
Reply
Solved! Jump to solution

mikelanghorst
Motivator
‎07-15-2011 11:33 AM

damn IE not having my credentials cached...

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎07-15-2011 11:26 AM

Did you raise the maxKbps setting in the [thruput] stanza of limits.conf?

http://www.splunk.com/base/Documentation/latest/Admin/Limitsconf

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...