All Apps and Add-ons

How to change ulimit and THP in Splunk after ver 7.2.2

yutaka1005
Builder

OS : Amazon Linux 2
Splunk Ver : 7.2.3

In Splunk before ver 7.2.2, there is start script in /etc/init.d, so I was adding commands to the file like below.

 splunk_start() {
   echo Starting Splunk...
   ulimit -n 64000
   ulimit -u 16000
   if test -f /sys/kernel/mm/transparent_hugepage/enabled; then
    echo never > /sys/kernel/mm/transparent_hugepage/enabled
   fi
   if test -f /sys/kernel/mm/transparent_hugepage/defrag; then
    echo never > /sys/kernel/mm/transparent_hugepage/defrag
   fi

   if test -f /sys/kernel/mm/redhat_transparent_hugepage/enabled; then
    echo never > /sys/kernel/mm/redhat_transparent_hugepage/enabled
   fi
   if test -f /sys/kernel/mm/redhat_transparent_hugepage/defrag; then
    echo never > /sys/kernel/mm/redhat_transparent_hugepage/defrag
   fi

But in Splunk after ver 7.2.2, if Splunk detect systemd, it makes unit files to run splunkd service, and there is not start script in /etc/init.d.

So I added options ExecStartPre,LimitNOFILE,LimitNPROC to unit file /etc/systemd/system/Splunkd.service, and I could change ulimit and disable THP.

ExecStartPre=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag"
ExecStart=/opt/splunk/bin/splunk _internal_launch_under_systemd
LimitNOFILE=64000
LimitNPROC=16000

*Answers I referred
https://answers.splunk.com/answers/590209/rhelcentos-7-systemd-not-honoring-ulimits.html

Anyway, I want to know whether this way is best, OR is there another best practice reccomended by Splunk?

1 Solution

yutaka1005
Builder

Splunk Support team said this method is no problem.

View solution in original post

0 Karma

yutaka1005
Builder

Splunk Support team said this method is no problem.

0 Karma

inventsekar
SplunkTrust
SplunkTrust
0 Karma

droehr_splunk
Splunk Employee
Splunk Employee

very good idea... thx

0 Karma

yutaka1005
Builder

Thank you for comment!

I asked Splunk Support team, and they said this method is no problem!

0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...