Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How much splunk memory use should I expect while monitoring a directory with many entries?

andyk
Path Finder
‎10-26-2011 05:54 AM

If I remove the only input stanza I have on a forwarder and restart Splunk the memory usage is 2GB. How can a forwarder use that much memory if I don't have any input stanzas?

On this page it's described how Splunk use CRC checksums to keep track of which files it has seen before.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Howlogfilerotationishandled

How much space does this data use on disk and in memory if you have let Splunk monitor a directory that over the years have contained more than 1 000 000 files?

This question is related to this question:
http://splunk-base.splunk.com/answers/32528/lots-of-log-files-how-can-i-reduce-forwarder-memory-usag...

Tags (1)
Reply

peter_krammer
Communicator
‎10-10-2014 02:28 AM

Try to clean out your fishbucket. 

%SPLUNK_HOME%/bin/splunk stop 
%SPLUNK_HOME%/bin/splunk clean eventdata -index _fishbucket 
%SPLUNK_HOME%/bin/splunk start
0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎10-10-2014 02:24 AM

We believe that Splunk monitor uses on the order of 1KB per file or directory in a monitored location. This includes files that will not be read.

Reply

andyk
Path Finder
‎10-27-2011 06:31 AM

I had to modify your command since I'm on Windows: %SPLUNK_HOME%\bin\splunk.exe cmd btprobe -d %SPLUNK_HOME%\var\lib\splunk\fishbucket\splunk_private_db\ -k ALL | find /c "key". The result is 66827.

0 Karma
Reply

hexx
Splunk Employee
Splunk Employee
‎10-26-2011 01:12 PM

Hi andyw. A few questions for you :

- How do you measure the memory consumption of the forwarder? Which metric (Vsize? RSS?) shows the 2Gb figure?

- How large is the directory $SPLUNK_HOME/var/lib/splunk/fishbucket on the forwarder?
- How many records exist in your fishbucket? To find out, run :

$SPLUNK_HOME/bin/splunk cmd btprobe -d $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db/ -k ALL | wc -l

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...