- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After configuring a limit on the forwarder's rate of thruput, why is the maxKBps setting still being exceeded?
I set up the limits.conf file as the following and save in the path /opt/splunkforwarder/etc/system/local/limits.conf
[thruput]
maxKBps = 512
But when the logs are increasing, sometimes it was exceeded 512Kb, even up to 3000kb.
Can someone please solve this problem? thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which Splunk version are you using?
We reported a bug in 6.3.2 UF recently.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We didn't upgrade UF, so they are still in 6.2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you confirm you do not have any other apps that are overwriting this setting?
$splunk_home$/splunk btool limits list --debug | grep -i maxkbps
This will show you all configurations that have this applied. I imagine you have an app that is taking priority and overwriting your 512kb setting.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Below is my search for your reference.
index=_internal source=*metrics*"group=tcpin_connections" "tcp_KBps" | rename _tcp_KBps as tcp_KBps | table sourceHost, kb, tcp_KBps | where tcp_KBps > 512
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have run the above command line...but only have one configuration.
./splunk btool limits list --debug | grep -i maxkbps
/opt/splunkforwarder/etc/system/local/limits.conf maxKBps = 512
