Solved: If Universal Forwarder crashes, can we throttle th...

roychen · ‎07-29-2012

Hello,

Assuming that I have a universal forwarder configured to monitor a directory of flat files, e.g. /var/log/, what happens if the following sequence of events happens?

Universal forwarder is monitoring files in /var/log
Universal forwarder crashes for some reason, or someone accidentally kills the process
Files in /var/log are modified, written to, etc. Assume a large number of changes have been made
Universal forwarder is restarted

In this situation, will the universal forwarder simply check through /var/log for any modified files, and send all the changes in the logs to the indexer at one go, thus possibly saturating the network bandwidth?

I believe the universal forwarder's max throughput is 256 kb/s, so if there's a large amount of changes, will it always attempt to send data to the indexer at this maximum rate?

Is there any way to throttle the universal forwarder's sending rate?

gkanapathy · ‎07-30-2012

The throttled is set to a 256 Kb/s on a UF, but you can set this to whatever rate you like, higher or lower, in the limits.conf file, e.g.:

[thruput]
maxKBps = 128

Setting it to "0" makes the maximum rate unlimited (up to the capacity of the process and the machine).

View solution in original post

gkanapathy · ‎07-30-2012

The throttled is set to a 256 Kb/s on a UF, but you can set this to whatever rate you like, higher or lower, in the limits.conf file, e.g.:

[thruput]
maxKBps = 128

Setting it to "0" makes the maximum rate unlimited (up to the capacity of the process and the machine).

If Universal Forwarder crashes, can we throttle the rate at which it sends data to indexer?

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!