https://community.splunk.com/t5/Splunk-Search/How-do-you-know-when-to-increase-the-bandwidth-limits/m-p/156420#M44007 <P>Hi jmsiegma,</P> <P>if you don't have any troubles regarding late arriving events on the indexer or blocked queues on the forwarder I would not change the <CODE>[thruput]</CODE> ... this could bring your indexer in trouble if all forwarders suddenly send more data.</P> <P>You could setup a <A href="http://docs.splunk.com/Documentation/Splunk/6.0/Data/Usepersistentqueues">persistent queue on the forwarder</A> to protect your data. </P> <P>If you want to know if a universal forwarder is done reading/sending data, you can use the REST end point</P> <PRE><CODE> /services/admin/inputstatus/TailingProcessor:FileStatus </CODE></PRE> <P>In the end point you can find information about "open file", and others showing "finished reading".</P> <P>Some details about the endpoint information, when the percent is 100% :</P> <P><CODE>"finished reading"</CODE> means that the file has been read and forwarded till the end.<BR /><BR /> <CODE>"open file"</CODE> means the same, but in addition the handle on the file is still open (because it has been less than 3 seconds, or because it is being 'tailed', or the file has just being reopen for any update or rotation).</P> <P>Splunk will monitor every file, because Splunk assumes that a new event can be added to any file.</P> <P>hope this helps...</P> <P>cheers, MuS</P> Thu, 08 May 2014 05:41:22 GMT MuS 2014-05-08T05:41:22Z https://community.splunk.com/t5/Splunk-Search/How-do-you-know-when-to-increase-the-bandwidth-limits/m-p/156419#M44006 <P>I have a few remote Splunk Universal Forwarders that forward along a metric ton of logs received from local firewalls via syslog to that local system, and I am unsure if I should increase the limits.conf [thruput] maxKBps = {default} to something greater to make sure it is able to send everything down stream.</P> <P>Is there a log somewhere that would say if the Universal Forwarder was getting backed up?</P> Thu, 08 May 2014 05:02:44 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-know-when-to-increase-the-bandwidth-limits/m-p/156419#M44006 jmsiegma 2014-05-08T05:02:44Z https://community.splunk.com/t5/Splunk-Search/How-do-you-know-when-to-increase-the-bandwidth-limits/m-p/156420#M44007 <P>Hi jmsiegma,</P> <P>if you don't have any troubles regarding late arriving events on the indexer or blocked queues on the forwarder I would not change the <CODE>[thruput]</CODE> ... this could bring your indexer in trouble if all forwarders suddenly send more data.</P> <P>You could setup a <A href="http://docs.splunk.com/Documentation/Splunk/6.0/Data/Usepersistentqueues">persistent queue on the forwarder</A> to protect your data. </P> <P>If you want to know if a universal forwarder is done reading/sending data, you can use the REST end point</P> <PRE><CODE> /services/admin/inputstatus/TailingProcessor:FileStatus </CODE></PRE> <P>In the end point you can find information about "open file", and others showing "finished reading".</P> <P>Some details about the endpoint information, when the percent is 100% :</P> <P><CODE>"finished reading"</CODE> means that the file has been read and forwarded till the end.<BR /><BR /> <CODE>"open file"</CODE> means the same, but in addition the handle on the file is still open (because it has been less than 3 seconds, or because it is being 'tailed', or the file has just being reopen for any update or rotation).</P> <P>Splunk will monitor every file, because Splunk assumes that a new event can be added to any file.</P> <P>hope this helps...</P> <P>cheers, MuS</P> Thu, 08 May 2014 05:41:22 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-know-when-to-increase-the-bandwidth-limits/m-p/156420#M44007 MuS 2014-05-08T05:41:22Z https://community.splunk.com/t5/Splunk-Search/How-do-you-know-when-to-increase-the-bandwidth-limits/m-p/156421#M44008 <P>A good approach is to look at the metrics.log from the forwarder (local to the forwarder, they are not monitored).<BR /> If you see that the forwarder is constantly hitting the thruput limit, you can increase it, and check back.</P> <P><CODE>cd $SPLUNK_HOME/var/log/splunk/metrics.log<BR /> grep "name=thruput" metrics.log<BR /> </CODE></P> <P>Example: The instantaneous_kbps and average_kbps are always under 256KBps.</P> <BLOCKQUOTE> <P>11-19-2013 07:36:01.398 -0600 INFO Metrics - group=thruput, name=thruput, instantaneous_kbps=251.790673, instantaneous_eps=3.934229, average_kbps=110.691774, total_k_processed=101429722, kb=7808.000000, ev=122</P> </BLOCKQUOTE> <P>see this guide on how to check the speed limit in metrics.<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Troubleshootingeventsindexingdelay#Possible_thruput_limits" target="_blank">http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Troubleshootingeventsindexingdelay#Possible_thruput_limits</A></P> Mon, 28 Sep 2020 16:33:25 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-know-when-to-increase-the-bandwidth-limits/m-p/156421#M44008 yannK 2020-09-28T16:33:25Z https://community.splunk.com/t5/Splunk-Search/How-do-you-know-when-to-increase-the-bandwidth-limits/m-p/156422#M44009 <P>This is very interesting, I will have to play with this a bit more, and the persistent queue comment was helpful </P> <P>Thankyou</P> Thu, 08 May 2014 18:29:50 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-know-when-to-increase-the-bandwidth-limits/m-p/156422#M44009 jmsiegma 2014-05-08T18:29:50Z