After configuring a limit on the forwarder's rate ...

Moon629 · ‎04-07-2015

I set up the limits.conf file as the following and save in the path /opt/splunkforwarder/etc/system/local/limits.conf

[thruput]
maxKBps = 512

But when the logs are increasing, sometimes it was exceeded 512Kb, even up to 3000kb.

Can someone please solve this problem? thanks in advance.

sfmandmdev · ‎06-07-2016

Which Splunk version are you using?
We reported a bug in 6.3.2 UF recently.

Moon629 · ‎06-11-2016

We didn't upgrade UF, so they are still in 6.2

esix_splunk · ‎04-07-2015

Can you confirm you do not have any other apps that are overwriting this setting?

$splunk_home$/splunk btool limits list --debug | grep -i maxkbps

This will show you all configurations that have this applied. I imagine you have an app that is taking priority and overwriting your 512kb setting.

Moon629 · ‎04-07-2015

Below is my search for your reference.

index=_internal source=*metrics*"group=tcpin_connections" "tcp_KBps"  | rename _tcp_KBps as tcp_KBps | table sourceHost, kb, tcp_KBps | where tcp_KBps > 512

Moon629 · ‎04-07-2015

I have run the above command line...but only have one configuration.

./splunk btool limits list --debug | grep -i maxkbps
/opt/splunkforwarder/etc/system/local/limits.conf maxKBps = 512

After configuring a limit on the forwarder's rate of thruput, why is the maxKBps setting still being exceeded?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?