https://community.splunk.com/t5/Getting-Data-In/Moving-files-and-folders-inputs-to-heavy-forwarder/m-p/406332#M72114 <P>Thank you, will try during the nearest change</P> Wed, 27 Feb 2019 16:11:00 GMT evelenke 2019-02-27T16:11:00Z https://community.splunk.com/t5/Getting-Data-In/Moving-files-and-folders-inputs-to-heavy-forwarder/m-p/406329#M72111 <P>Hi Splunkers,</P> <P>we use approach to collect logs on syslog and than point Splunk on logs with Files &amp; Directories inputs. All inputs were located on the indexer (single-node deployment). <BR /> It was deployed another node as Heavy Forwarder, also with the purpose to move inputs there. <BR /> Each folder has logs from particular asset, where data is collected and separated by date (deep structure). <BR /> Previously we've moved about 30 inputs, and it worked nice and quick. Now we've moved around 700 inputs there. <BR /> To avoid license violation (when Splunk potentially might re-index all old logs) we've added a stanza ignoreOlderThan=1d for each input. <BR /> After restarting Splunk on the HF node, it takes a long time to start forwarding events to the indexer. <BR /> As I understand it re-reads all the file structure to keep this "ignoreOld" policy. <BR /> Question - how can we improve the process, what may we change in confihurations to speed-up processing and forwarding data in case new Splunk restarts on HF? </P> Sat, 23 Feb 2019 21:44:06 GMT https://community.splunk.com/t5/Getting-Data-In/Moving-files-and-folders-inputs-to-heavy-forwarder/m-p/406329#M72111 evelenke 2019-02-23T21:44:06Z https://community.splunk.com/t5/Getting-Data-In/Moving-files-and-folders-inputs-to-heavy-forwarder/m-p/406330#M72112 <P>I assume you have setup ulimits as per splunk's recommendations on the Indexer and heavy forwarders.<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.2.4/Installation/Systemrequirements">https://docs.splunk.com/Documentation/Splunk/7.2.4/Installation/Systemrequirements</A></P> <P>Also, if the old files are read and indexed, you can either delete or archive them on to a different folder or name, so they are not read again.</P> <P>Additionally, you can read only a certain number of directories or files (using name pattern/regex) and after they are indexed, you can add additional files/folders in stages [ you may need to have more than one monitor stanza as required]</P> Sat, 23 Feb 2019 22:29:40 GMT https://community.splunk.com/t5/Getting-Data-In/Moving-files-and-folders-inputs-to-heavy-forwarder/m-p/406330#M72112 lakshman239 2019-02-23T22:29:40Z https://community.splunk.com/t5/Getting-Data-In/Moving-files-and-folders-inputs-to-heavy-forwarder/m-p/406331#M72113 <P>Hi @evelenke</P> <P>Your setup sounds quite similar than ours. We collect syslog with rsyslog and put them into a structured folder system like /var/log/rsyslog-splunk/uc////logfile.log</P> <P>We have also several hundreds of files on our servers. First of all make sure that you configure the ulimits as described by @lakshman239 (<A href="https://docs.splunk.com/Documentation/Splunk/7.2.4/Installation/Systemrequirements">https://docs.splunk.com/Documentation/Splunk/7.2.4/Installation/Systemrequirements</A>)</P> <P>We also raised the thruput limits (limits.conf): <CODE>maxKBps = 0</CODE></P> <PRE><CODE>[thruput] maxKBps = &lt;integer&gt; If specified and not zero, this limits the speed through the thruput processor to the specified rate in kilobytes per second. To control the CPU load while indexing, use this to throttle the number of events this indexer processes to the rate (in KBps) you specify. </CODE></PRE> <P>The second config we did was raising the pipelines to 4 (server.conf). <CODE>parallelIngestionPipelines = 4</CODE></P> <PRE><CODE>parallelIngestionPipelines = &lt;integer&gt; * The number of discrete data ingestion pipeline sets to create for this instance. * A pipeline set handles the processing of data, from receiving streams of events through event processing and writing the events to disk. * An indexer that operates multiple pipeline sets can achieve improved performance with data parsing and disk writing, at the cost of additional CPU cores. * For most installations, the default setting of "1" is optimal. * Use caution when changing this setting. Increasing the CPU usage for data ingestion reduces available CPU cores for other tasks like searching. * NOTE: Enabling multiple ingestion pipelines can change the behavior of some settings in other configuration files. Each ingestion pipeline enforces the limits of the following settings independently: 1. maxKBps (in the limits.conf file) 2. max_fd (in the limits.conf file) 3. maxHotBuckets (in the indexes.conf file) 4. maxHotSpanSecs (in the indexes.conf file) * Default: 1 </CODE></PRE> Sun, 24 Feb 2019 05:26:05 GMT https://community.splunk.com/t5/Getting-Data-In/Moving-files-and-folders-inputs-to-heavy-forwarder/m-p/406331#M72113 markusspitzli 2019-02-24T05:26:05Z https://community.splunk.com/t5/Getting-Data-In/Moving-files-and-folders-inputs-to-heavy-forwarder/m-p/406332#M72114 <P>Thank you, will try during the nearest change</P> Wed, 27 Feb 2019 16:11:00 GMT https://community.splunk.com/t5/Getting-Data-In/Moving-files-and-folders-inputs-to-heavy-forwarder/m-p/406332#M72114 evelenke 2019-02-27T16:11:00Z https://community.splunk.com/t5/Getting-Data-In/Moving-files-and-folders-inputs-to-heavy-forwarder/m-p/406333#M72115 <P>Thank you, will try during the nearest change</P> Wed, 27 Feb 2019 16:11:10 GMT https://community.splunk.com/t5/Getting-Data-In/Moving-files-and-folders-inputs-to-heavy-forwarder/m-p/406333#M72115 evelenke 2019-02-27T16:11:10Z