Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Indexer is slowing down

carmackd
Communicator
‎06-30-2010 01:28 PM

I'm having problems with indexing a particular log source, which is slowing down. It started off strong but continues to drop hourly. My main concern is the log files that are starting to accumulate on the forwarder, which is using the batch stanza. Here is the content of the indexers indexes.conf file.

[default]
maxTotalDataSizeMB = 27000000
frozenTimePeriodInSecs = 18869760000

Is there anything I can do to increase thruput for a specific source?

Tags (1)
Reply

adamw
Communicator
‎08-19-2010 03:45 AM

What type of input is this. We have noticed a slowdown in monitors where there are hundreds (even thousands) of files being monitored. Solution was to remove some of the files being monitored, because they were old rotated log files, and once splunk has them,we don't really care about the source file anymore.

0 Karma
Reply

Lowell
Super Champion
‎06-30-2010 05:29 PM

Please add to your question: (1) version of splunk indexer, (2) version of your forwarder. (3) why you suspect this to be an indexing performance issue and not a monitor (or batch) performance issue.

Reply

Simeon
Splunk Employee
Splunk Employee
‎06-30-2010 03:42 PM

Tuning the indexes.conf file will not speed up indexing. If you are having a problem with indexing speed, you should check the internal metrics as well as system resources. If you have enabled the lightweight forwarder app, it is possible that your thruput limit is set to 256 kbps. Without complete details regarding the log source, a more complete answer is difficult to supply.

Reply

Lowell
Super Champion
‎06-30-2010 05:30 PM

Could you add some additional info about the specific metrics you are looking at.

Reply

carmackd
Communicator
‎06-30-2010 04:52 PM

All the internal metrics searches I've ran seem to tell me I have a problem.

0 Karma
Reply

carmackd
Communicator
‎06-30-2010 04:51 PM

I'm using a regular forwarder. This log source seems to be the only one on the indexer that is slowing down. Thruput started off high but continues to dwindle. I've ran some searches using the internal metrics, such as looking at thruput and indexing speeds. Any other recommended searches would be helpful.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...