Re: How can we handle forwarders on highly-utilize...

ddrillic · ‎01-28-2018

We have all kinds of issues when a forwarder is installed on a highly-utilized server, such as a DB Linux server due to running out of resources on this type of servers. I wonder which alternatives we can use for the forwarder in such cases.

ddrillic · ‎02-05-2018

Btw, is there a way to limit the amount of memory Splunk uses on a server?

esix_splunk · ‎01-28-2018

What are you monitoring on this server with the Forwarder? Are you running the NIX TA to get CPU / Mem / Disk performance metrics? Or are you just reading log files?

If you're collecting metrics from the OS, you might look at collectd as an alternative for collecting the metrics, and send that to Splunk.

If you're just reading log files, you could setup syslog to forward those logs to another server and then use a forwarder there to read the files.

ddrillic · ‎01-29-2018

-- If you're just reading log files, you could setup syslog to forward those logs to another server and then use a forwarder there to read the files.

Very interesting.

dedwards93 · ‎01-28-2018

Try to use the least wildcards as possible in your inputs.conf
The more wildcards you use to tell the forwarder where to search for logs, the more resources it needs.

Avoid uses of /.../ as much as you can. This will reduce the amount of resource the forwarder requires.

How can we handle forwarders on highly-utilized servers?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation