Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

If Universal Forwarder crashes, can we throttle the rate at which it sends data to indexer?

roychen
Path Finder
‎07-29-2012 11:40 PM

Hello,

Assuming that I have a universal forwarder configured to monitor a directory of flat files, e.g. /var/log/, what happens if the following sequence of events happens?

  1. Universal forwarder is monitoring files in /var/log
  2. Universal forwarder crashes for some reason, or someone accidentally kills the process
  3. Files in /var/log are modified, written to, etc. Assume a large number of changes have been made
  4. Universal forwarder is restarted

In this situation, will the universal forwarder simply check through /var/log for any modified files, and send all the changes in the logs to the indexer at one go, thus possibly saturating the network bandwidth?

I believe the universal forwarder's max throughput is 256 kb/s, so if there's a large amount of changes, will it always attempt to send data to the indexer at this maximum rate?

Is there any way to throttle the universal forwarder's sending rate?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-30-2012 12:39 AM

The throttled is set to a 256 Kb/s on a UF, but you can set this to whatever rate you like, higher or lower, in the limits.conf file, e.g.:

[thruput]
maxKBps = 128

Setting it to "0" makes the maximum rate unlimited (up to the capacity of the process and the machine).

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-30-2012 12:39 AM

The throttled is set to a 256 Kb/s on a UF, but you can set this to whatever rate you like, higher or lower, in the limits.conf file, e.g.:

[thruput]
maxKBps = 128

Setting it to "0" makes the maximum rate unlimited (up to the capacity of the process and the machine).

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...