Solved: Re: Maximum Size of Files for UF

SplunkDash · ‎08-12-2023

Hello,

Do we have any SPLUNK recommended maximum size of a single source file for UFs to push? I know maximus size of Lookup is 500MB. But for SPLUNK UF based data ingestion, I have a few source files need to be ingested every day using UF and each of the size of source files is around 2.2 GB. Do you have any recommendations? Thank you so much.

isoutamo · ‎08-12-2023

Hi

I haven’t seen any recommendations for ingested files. More important is how much events come to it and could UF read it faster than new events come! This situation could cause delays for source events on this host especially if there are lot of files. 2.2GB/day isn’t any issue for UF if your source node can handle to generate that log.

r. Ismo

View solution in original post

isoutamo · ‎08-12-2023

Hi

I haven’t seen any recommendations for ingested files. More important is how much events come to it and could UF read it faster than new events come! This situation could cause delays for source events on this host especially if there are lot of files. 2.2GB/day isn’t any issue for UF if your source node can handle to generate that log.

r. Ismo

Do we have any SPLUNK recommended maximum size of a single source file for UFs to push?

universal forwarder

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Do we have any SPLUNK recommended maximum size of a single source file for UFs to push?

universal forwarder

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!