Solved: Splunk universal forwarder performance

wsweat · ‎08-25-2012

Hello,

Is there a performance guide for the universal forwarder (v 4.3.3)?

The indexer is running at 2 events per second and I'm only running one universal forwarder. The indexer has 16 cores and 16GB of mem and I'm having the forwarder send over a dozen, or so, files that range from a 100MB - 20GB. Both systems are underutilized for both memory and cpu (server load is around 0.5 on both).

Thanks

_d_ · ‎08-25-2012

There is no guide, but in terms of thruput note the following:

A Universal Forwarder is capable of outputting at a much higher rate than a typical indexer can properly ingest.
A Universal Forwarder's default thruput is capped at 256KBps:

$SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/default/limits.conf [thruput] maxKBps = 256

Hope this helps.

d.

View solution in original post

_d_ · ‎08-25-2012

There is no guide, but in terms of thruput note the following:

A Universal Forwarder is capable of outputting at a much higher rate than a typical indexer can properly ingest.
A Universal Forwarder's default thruput is capped at 256KBps:

$SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/default/limits.conf [thruput] maxKBps = 256

Hope this helps.

d.

wsweat · ‎08-25-2012

I was looking in the $SPLUNK_HOME/etc/system/default/limits.conf file and didn't look in that directory.

I've made the change to 1024 and see the increased indexer activity.

Thanks!

Splunk universal forwarder performance

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life