Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Forwarding and Indexing Large Files

rbarajas
Explorer
‎11-14-2017 04:26 PM

Anyone have any experience with fowarding and indexing files larger than 200mb every minute?
I'm curious if there are any forwarding processes or indexing processes that need some tuning to keep track of new files being created by our app each minute.

0 Karma
Reply

djl
Explorer
‎11-15-2017 05:46 AM

Blessed by a good network and robust indexers, the universal forwarder on the endpoint is usually my bottleneck. By closely watching the local splunkd.log file you can see where the forwarder is struggling.

This post ended up being a major help in a recent major log source onboarding experience I had - https://answers.splunk.com/answers/38218/universal-forwarder-parsingqueue-kb-size.html

I also learned the lesson during that onboarding process to uncompress large log files before handing off to the UF for parsing. The UF can handle some on the fly decompression/parsing, but at a certain point it can't keep things straight... We were dealing with compressed text files that were 1-3 million lines long, not a normal type of log situation though.

Best,

David

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-15-2017 01:55 AM

Hi rbarajas,
I experienced this situation, the only way to avoid problems is to have a really good infrastructure: at first a really quick storage (1200 iops), many CPUs on Indexers and a good network, large files indexing could have long indexing queues that cause slow performaces in all the system.
About network, Splunk optimize bandwidth occupation, if you haven't a great constrain you could change the network parameter and send larger packets but I usually don't do this!
As second consequence you could not have a really near time monitoring because there could be a delay in indexing: this is important for real time monitoring and acceletarions.
Bye.
Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...