I set up the limits.conf file as the following and save in the path /opt/splunkforwarder/etc/system/local/limits.conf
maxKBps = 512
But when the logs are increasing, sometimes it was exceeded 512Kb, even up to 3000kb.
Can someone please solve this problem? thanks in advance.
Can you confirm you do not have any other apps that are overwriting this setting?
$splunk_home$/splunk btool limits list --debug | grep -i maxkbps
This will show you all configurations that have this applied. I imagine you have an app that is taking priority and overwriting your 512kb setting.
I have run the above command line...but only have one configuration.
./splunk btool limits list --debug | grep -i maxkbps
/opt/splunkforwarder/etc/system/local/limits.conf maxKBps = 512
Below is my search for your reference.
index=_internal source=*metrics*"group=tcpin_connections" "tcp_KBps" | rename _tcp_KBps as tcp_KBps | table sourceHost, kb, tcp_KBps | where tcp_KBps > 512
Which Splunk version are you using?
We reported a bug in 6.3.2 UF recently.