All Apps and Add-ons

How to change ulimit and THP in Splunk after ver 7.2.2

yutaka1005
Builder

OS : Amazon Linux 2
Splunk Ver : 7.2.3

In Splunk before ver 7.2.2, there is start script in /etc/init.d, so I was adding commands to the file like below.

 splunk_start() {
   echo Starting Splunk...
   ulimit -n 64000
   ulimit -u 16000
   if test -f /sys/kernel/mm/transparent_hugepage/enabled; then
    echo never > /sys/kernel/mm/transparent_hugepage/enabled
   fi
   if test -f /sys/kernel/mm/transparent_hugepage/defrag; then
    echo never > /sys/kernel/mm/transparent_hugepage/defrag
   fi

   if test -f /sys/kernel/mm/redhat_transparent_hugepage/enabled; then
    echo never > /sys/kernel/mm/redhat_transparent_hugepage/enabled
   fi
   if test -f /sys/kernel/mm/redhat_transparent_hugepage/defrag; then
    echo never > /sys/kernel/mm/redhat_transparent_hugepage/defrag
   fi

But in Splunk after ver 7.2.2, if Splunk detect systemd, it makes unit files to run splunkd service, and there is not start script in /etc/init.d.

So I added options ExecStartPre,LimitNOFILE,LimitNPROC to unit file /etc/systemd/system/Splunkd.service, and I could change ulimit and disable THP.

ExecStartPre=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag"
ExecStart=/opt/splunk/bin/splunk _internal_launch_under_systemd
LimitNOFILE=64000
LimitNPROC=16000

*Answers I referred
https://answers.splunk.com/answers/590209/rhelcentos-7-systemd-not-honoring-ulimits.html

Anyway, I want to know whether this way is best, OR is there another best practice reccomended by Splunk?

1 Solution

yutaka1005
Builder

Splunk Support team said this method is no problem.

View solution in original post

0 Karma

yutaka1005
Builder

Splunk Support team said this method is no problem.

0 Karma

inventsekar
Ultra Champion
0 Karma

droehr_splunk
Splunk Employee
Splunk Employee

very good idea... thx

0 Karma

yutaka1005
Builder

Thank you for comment!

I asked Splunk Support team, and they said this method is no problem!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...