Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Do Universal Forwarders allow for bursts of data before starting to throttle?

joshhealey13
Engager
‎03-20-2015 08:17 AM

The universal forwarder in our setup is forwarding data to a single indexer and the max KBps is set to the default value of 256KBps in the limits.conf.

I have generated a graph with the following search:
index=_internal group="tcpin_connections" | timechart span=30m avg(tcp_KBps)
which shows Average TCP KB per second per forwarder.

The graph shows the same pattern every day. The average KBps gradually reaches anywhere between 430KBps to 660KBps and then suddenly drops to 250KBps and stays at this for several hours and then gradually drops. This is repeated every day.

During these times there is a delay in the log files appearing in Splunk which means are alerting and reports are off. This delay happens the whole time the KBps rate is at 250KBps and the delay only stops after the KBps starts to drop (when the amount of events per second in the logs drop).

So going back to my original question I want to know why the KBps can go as high 660KBps (but not every time most of the time lower) and then suddenly drops.
Does Splunk allow for bursts of data for a short period of time and then start to throttle to the max KBps set in the limits.conf once the KBps has been too high for too long.

Reply

ekost
Splunk Employee
Splunk Employee
‎03-20-2015 08:57 AM

Yes, the process for measuring Splunk Enterprise forwarding thruput is a send > check numbers > limit > repeat. Obviously I'm not a dev! This results in spikes of data. More detail than that on the process would have to come through support. In any case, reducing the persistent queue on the outputs.conf to something much smaller (~128k) was offered as a way to flatten the peaks, as there was less data queued to send. Play with that on a select group of forwarders and check the results.

0 Karma
Reply

itrimble1
Path Finder
‎09-15-2019 03:43 AM

What is the minimum value for this setting ?

Reply

joshhealey13
Engager
‎03-20-2015 09:15 AM

The persistent queue explains why the logs experience delay because the logs are being queued and it takes several hours for the queue to processed and for the lie data to be streamed again.

What it doesn't explain is why the KBps of the forwarder goes up to around 4000KBps to 600KBps for a few hours and then drops to 250KBps.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...