Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How much splunk memory use should I expect while monitoring a directory with many entries?

andyk
Path Finder
‎10-26-2011 05:54 AM

If I remove the only input stanza I have on a forwarder and restart Splunk the memory usage is 2GB. How can a forwarder use that much memory if I don't have any input stanzas?

On this page it's described how Splunk use CRC checksums to keep track of which files it has seen before.

http://docs.splunk.com/Documentation/Splunk/latest/Data/Howlogfilerotationishandled

How much space does this data use on disk and in memory if you have let Splunk monitor a directory that over the years have contained more than 1 000 000 files?

This question is related to this question:
http://splunk-base.splunk.com/answers/32528/lots-of-log-files-how-can-i-reduce-forwarder-memory-usag...

Tags (1)
Reply

peter_krammer
Communicator
‎10-10-2014 02:28 AM

Try to clean out your fishbucket. 

%SPLUNK_HOME%/bin/splunk stop 
%SPLUNK_HOME%/bin/splunk clean eventdata -index _fishbucket 
%SPLUNK_HOME%/bin/splunk start
0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎10-10-2014 02:24 AM

We believe that Splunk monitor uses on the order of 1KB per file or directory in a monitored location. This includes files that will not be read.

Reply

andyk
Path Finder
‎10-27-2011 06:31 AM

I had to modify your command since I'm on Windows: %SPLUNK_HOME%\bin\splunk.exe cmd btprobe -d %SPLUNK_HOME%\var\lib\splunk\fishbucket\splunk_private_db\ -k ALL | find /c "key". The result is 66827.

0 Karma
Reply

hexx
Splunk Employee
Splunk Employee
‎10-26-2011 01:12 PM

Hi andyw. A few questions for you :

- How do you measure the memory consumption of the forwarder? Which metric (Vsize? RSS?) shows the 2Gb figure?

- How large is the directory $SPLUNK_HOME/var/lib/splunk/fishbucket on the forwarder?
- How many records exist in your fishbucket? To find out, run :

$SPLUNK_HOME/bin/splunk cmd btprobe -d $SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db/ -k ALL | wc -l

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...