Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Memory Usage by streamfwd.exe

ashajambagi
Communicator
‎10-06-2020 03:56 AM

Hi All,

I have recently deployed Splunk TA Stream on universal forwarder to collect DNS data. Stream App is configured on heavy Forwarder. The universal forwarder is forwarding the data to indexer cluster.

The streamfwd.exe service on DNS server is consuming 1GB of memory. Is it a normal behavior of streamfwd.exe service to use memory in GB?

UF host details : Windows 2012 R2 , Memory : 32 GB , 64bit

Below configurations on Universal Forwarder:

limits.conf

 

 

maxKbps = 4096

 

 

inputs.conf

[streamfwd://streamfwd]
splunk_stream_app_location = https://<HF_IP>:8000/en-us/custom/splunk_app_stream/
disabled = 0
stream_forwarder_id = 
sslVerifyServerCert = false

 

Labels (2)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎10-06-2020 07:23 AM

How busy is your DNS server?

Also, you've limited the maxKbps of the UF to 4 Mb.  If during busy times the DNS entries exceed 4 Mb, then it just buffers it all, and that would use a lot of memory.

If I were you, I'd raise those limits WAY up higher, or remove then completely, and see what change that makes.  Try it at 'maxKbps=0'  (Which is unlimited)

You can always set it back to something less than unlimited after testing proves this solves it or does not solve it.  Frankly, I'd just leave it set to unlimited and build out indexer ingestion if you have to.  The only reasons I can think of to leave it limited is to not fill a small pipe, like a WAN connection that's underprovisioned for what's needed.

 

Happy Splunking,

Rich

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎10-06-2020 07:23 AM

How busy is your DNS server?

Also, you've limited the maxKbps of the UF to 4 Mb.  If during busy times the DNS entries exceed 4 Mb, then it just buffers it all, and that would use a lot of memory.

If I were you, I'd raise those limits WAY up higher, or remove then completely, and see what change that makes.  Try it at 'maxKbps=0'  (Which is unlimited)

You can always set it back to something less than unlimited after testing proves this solves it or does not solve it.  Frankly, I'd just leave it set to unlimited and build out indexer ingestion if you have to.  The only reasons I can think of to leave it limited is to not fill a small pipe, like a WAN connection that's underprovisioned for what's needed.

 

Happy Splunking,

Rich

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...