https://community.splunk.com/t5/Monitoring-Splunk/Splunk-UF-performance-issue-not-forward-all-logs-data/m-p/491654#M4073 <P>What do the <CODE>inputs.conf</CODE> entries look like?</P> <P>What is the system load on your log aggregator?</P> <P>How big is your Splunk env?</P> <P>What network components (firewalls, load balancers, etc) are between the collector and Splunk?</P> Fri, 13 Mar 2020 13:10:34 GMT wmyersas 2020-03-13T13:10:34Z https://community.splunk.com/t5/Monitoring-Splunk/Splunk-UF-performance-issue-not-forward-all-logs-data/m-p/491653#M4072 <P>Hi Experts,</P> <P>In my NFS server, Splunk UF is installed. That NFS server is basically a log storage server, <BR /> log rotation daemon also running on that server that convert file to gzip file after 24 hours, in same location.<BR /> NFS server is a single server, and it have really big amount of data.</P> <P>But some time my UF don't forward some files data from NFS server to my Indexers server. <BR /> Many files remain missing in my Splunk indexers.</P> <P>Following parameters are same for many of the sourcetype in props.conf ( Yes, many events are really big)<BR /> TRUNCATE = 20000<BR /> MAX_EVENTS = 512<BR /> BREAK_ONLY_BEFORE = &lt; [Set] &gt; </P> <P>Please suggest how I improve my UF performance.</P> Wed, 30 Sep 2020 04:33:58 GMT https://community.splunk.com/t5/Monitoring-Splunk/Splunk-UF-performance-issue-not-forward-all-logs-data/m-p/491653#M4072 arun_kant_sharm 2020-09-30T04:33:58Z https://community.splunk.com/t5/Monitoring-Splunk/Splunk-UF-performance-issue-not-forward-all-logs-data/m-p/491654#M4073 <P>What do the <CODE>inputs.conf</CODE> entries look like?</P> <P>What is the system load on your log aggregator?</P> <P>How big is your Splunk env?</P> <P>What network components (firewalls, load balancers, etc) are between the collector and Splunk?</P> Fri, 13 Mar 2020 13:10:34 GMT https://community.splunk.com/t5/Monitoring-Splunk/Splunk-UF-performance-issue-not-forward-all-logs-data/m-p/491654#M4073 wmyersas 2020-03-13T13:10:34Z https://community.splunk.com/t5/Monitoring-Splunk/Splunk-UF-performance-issue-not-forward-all-logs-data/m-p/491655#M4074 <P>In my splunk env I have one NFS server (for log collection), in that server UF is installed. That contain input.conf file, props.conf . file. In input.conf file, we have to monitor some directory that forward data to particular Index, using sourcetype define in props.conf.</P> <P>That NFS server is on premise server, its forward data on 6 indexer, indexer are EC2 instances, that share same AWS- route53 , in round-robin technique (So no ALB/NLB/ELB in between indexers). Yes I can manage that NFS server also using one Splunk-Master server. Indexer cold and frozen bucket are AWS-EFS drives, that are same between all indexers. Apart of this some Search Head servers, yes SH connected to ALB and then route 53.</P> <P>In indexer server I continuously store data of other on premise servers, AWS-Servers, Openshift Server, DB Servers, SysLogs servers. </P> Sat, 14 Mar 2020 06:55:23 GMT https://community.splunk.com/t5/Monitoring-Splunk/Splunk-UF-performance-issue-not-forward-all-logs-data/m-p/491655#M4074 arun_kant_sharm 2020-03-14T06:55:23Z https://community.splunk.com/t5/Monitoring-Splunk/Splunk-UF-performance-issue-not-forward-all-logs-data/m-p/491656#M4075 <P>You have to have good hygiene for old logs. Hundreds of co-resident logs is fine, thousands is risky, above that you will experience a total breakdown in the UF's ability to search through them and send updates in a timely manner. Even if the <CODE>*.tgz</CODE> does not match your <CODE>monitor</CODE> pattern, they will still cause this problem unless you MOVE THEM SOMEWHERE ELSE.</P> Sat, 14 Mar 2020 17:38:00 GMT https://community.splunk.com/t5/Monitoring-Splunk/Splunk-UF-performance-issue-not-forward-all-logs-data/m-p/491656#M4075 woodcock 2020-03-14T17:38:00Z