Deployment Architecture

How do I configure Splunk_TA_Stream to not check in so often?

daniel333
Builder

All,

I placed Splunk_TA_stream on a bunch of boxes and now the search head it's hitting is getting murdered performance-wise. I really only need the Splunk_TA_stream to check in every few hours at most. But it seems almost real time. Is there a configuration option for this? I'd really like to be in a place where I can get 3k universal forwarders checking in to 3 Reference search heads in a search head cluster without a performance impact.

0 Karma
1 Solution

micahkemp
Champion

Have you tried configuring the ping interval on the streamfwd instances that phone home to the search head?

https://docs.splunk.com/Documentation/StreamApp/7.1.2/DeployStreamApp/StreamForwardersizingguide

The maximum number of Stream forwarders (streamfwd) that a search head can support depends on the value of the pingInterval parameter in streamfwd.conf.

View solution in original post

0 Karma

micahkemp
Champion

Have you tried configuring the ping interval on the streamfwd instances that phone home to the search head?

https://docs.splunk.com/Documentation/StreamApp/7.1.2/DeployStreamApp/StreamForwardersizingguide

The maximum number of Stream forwarders (streamfwd) that a search head can support depends on the value of the pingInterval parameter in streamfwd.conf.
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...