We're running Splunk 4.3.3 on a Linux box. The target log files are on a NetApp NAS, accessed by Splunk through an NFS mount. The target log files are Java application server log4j logs. The naming convention is such that the current log is always - .log, and Splunk is set to use that as its data source, eg it is only targetting that one file per data input, as opposed to looking at everything after the /.
What we're seeing is that the Splunk user account shows up as the top IOPS consumer on the NetApp. Why is this so high, and are there any ways to reduce this? We could move to another OS for the Splunk indexers, as there's some thought that Solaris might read the logs more efficiently. Is there any advantage in using followtail = 0 versus followtail = 1? Any other suggestions?
... View more