Deployment Architecture

How do I configure Splunk_TA_Stream to not check in so often?

Builder

All,

I placed SplunkTAstream on a bunch of boxes and now the search head it's hitting is getting murdered performance-wise. I really only need the SplunkTAstream to check in every few hours at most. But it seems almost real time. Is there a configuration option for this? I'd really like to be in a place where I can get 3k universal forwarders checking in to 3 Reference search heads in a search head cluster without a performance impact.

0 Karma
1 Solution

Champion

Have you tried configuring the ping interval on the streamfwd instances that phone home to the search head?

https://docs.splunk.com/Documentation/StreamApp/7.1.2/DeployStreamApp/StreamForwardersizingguide

The maximum number of Stream forwarders (streamfwd) that a search head can support depends on the value of the pingInterval parameter in streamfwd.conf.

View solution in original post

0 Karma

Champion

Have you tried configuring the ping interval on the streamfwd instances that phone home to the search head?

https://docs.splunk.com/Documentation/StreamApp/7.1.2/DeployStreamApp/StreamForwardersizingguide

The maximum number of Stream forwarders (streamfwd) that a search head can support depends on the value of the pingInterval parameter in streamfwd.conf.

View solution in original post

0 Karma