Has anybody experienced condition where Forwarder is not reading and sending old logs fast? Eventhough there's plenty of bandwidth between forwarder and Indexer?
I have a feeling that Splunk forwarder is intentionally forwarding data at a low rate to reduce load on the network and the server when the data that's being indexed is old (not current) data.
Does splunk intelligently rate data transfers and index speed based on age of the data?
Is this a Universal Forwarder? UF's have a default data transfer rate capped at 256Kbps.
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Introducingtheuniversalforwarder
Maybe someone overrode the default setting in limits.conf?
http://splunk-base.splunk.com/answers/1810/store-and-forward-and-bandwidth-contraints
[thruput]
maxKBps =
* If specified and not zero, this limits the speed through the thruput processor to the specified
rate in kilobytes per second.
* To control the CPU load while indexing, use this to throttle the number of events this indexer
processes to the rate (in KBps) you specify.