Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is there a way to prioritize inputs?

pdominicb
Explorer
Tuesday

I am about to have a few UFs monitoring some extremely high volume logs. These high volume logs are less critical than some of the current low volume logs we're already monitoring. Its acceptable that the new high volume logs are delayed, but we need the current critical ones in (near) real-time as possible. 

We're already looking at setting maxkbps=0 or increasing concurrent pipelines, but we have concerns on resource consumption. We'd rather not add extra CPUs just for logging. 

So, I am wondering if there is anyway to set some inputs to be a higher priority than others. A few ideas I had are :

  1. Use TCPOUT routing and set the maxkbps per destination. But maxkbps is global, so that wont work.
  2. Raise concurrent pipelines on the UF and prioritize each pipeline somehow. For example, one pipeline is guaranteed 80% of the load, while another pipeline is only allowed 20% of the load. Then specify the pipeline to use per input. But there doesn't seem to be a way to say one pipeline is prioritized over another. 
  3. Install two UFs on the servers. Port conflicts... seems horrible. 

Any ideas here?

Labels (2)
Tags (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
6 hours ago

Generally speaking - no. There is no way to prioritize inputs. And yes, it can have an impact on UFs sometimes. I've had a strange setup with a UF checking huge number of  files from network shares. Every time the UF was restarted it would need about an hour to catch up with the states of all the monitored files. As far as I remember it even lagged ingestion of forwarder's internal events. That was very wrong and luckily has been fixed since. But it shows that you can't prioritize inputs versus each other.

 

Reply

livehybrid
SplunkTrust
SplunkTrust
Tuesday

Hi @pdominicb 

The only thing that comes to my mind is the maxkbps limits.conf setting which you've mentioned too, and yes this is global therefore I think the only way you could control the limit per input is to run two UF on the same server. This is possible but you would need to update the clashing ports, this shouldnt be too much of a big deal as the UF will only listen on port 8089 (mgmt) plus any input ports configured, so you could set your second UF installation to listen on port 8090 (for example).

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...