Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Missing per_*_thruput metrics on 9.3.x Universal forwarders.

hrawat
Splunk Employee
Splunk Employee
‎10-25-2024 01:28 PM

Apply following workaround in default-mode.conf

Additionally you can also push this change via DS push across thousands of universal forwarders.

Add index_thruput in the list of disabled processors. 

Add following line as is in default-mode.conf.

 

#Turn off a processor
[pipeline:indexerPipe]
disabled_processors= index_thruput, indexer, indexandforward, latencytracker, diskusage, signing,tcp-output-generic-processor, syslog-output-generic-processor, http-output-generic-processor, stream-output-processor, s2soverhttpoutput, destination-key-processor

 

 

NOTE:  PLEASE DON'T APPLY ON HF/SH/IDX/CM/DS. You want to use different app( not SplunkUniversalForwarder app) to push the change.


Labels (1)
Labels
Reply

sborys93
Engager
‎09-12-2025 08:38 AM

Just so it's known. There is a difference between placing this in 

~/etc/apps/SplunkUniversalForwarder/default/default-mode.conf

vs

~/etc/system/default/default-mode.conf

You want to place this in ~/etc/apps/SplunkUniversalForwarder/default/default-mode.conf, otherwise it doesn't work.

0 Karma
Reply

hrawat
Splunk Employee
Splunk Employee
‎09-12-2025 08:45 AM

You should not make any changes in any default ( ~/etc/system/default/default-mode.conf/~/etc/apps/SplunkUniversalForwarder/default/default-mode.conf) folders.

Either in 

~/etc/system/local/default-mode.conf/
Or
~/etc/apps/SplunkUniversalForwarder/local/default-mode.conf
Reply

sborys93
Engager
‎04-24-2025 07:06 AM

Just to confirm here. When we say.

"Note: As a side effect of this issue, maxKbps(limits.conf) will also be impacted as it requires thruput metrics to function."

Are we saying that the following parameter in limits.conf is no longer applied/valid when modified?

[thruput]

maxKBps


I originally thought this solely a regression on the thruput maxKBps metric not being displayed in the logs.

0 Karma
Reply

hrawat
Splunk Employee
Splunk Employee
‎04-24-2025 07:42 AM

>Are we saying that the following parameter in limits.conf is no longer applied/valid when modified?
Yes on UF.

Reply

hrawat
Splunk Employee
Splunk Employee
‎04-18-2025 03:41 AM

Note: As a side effect of this issue, maxKbps(limits.conf) will also be impacted as it requires thruput metrics to function.

0 Karma
Reply

jstratton
Explorer
‎04-21-2025 12:00 PM
@hrawat wrote:

Note: As a side effect of this issue, maxKbps(limits.conf) will also be impacted as it requires thruput metrics to function.

Can you elaborate on how maxKbps is impacted?

0 Karma
Reply

hrawat
Splunk Employee
Splunk Employee
‎04-21-2025 02:17 PM

maxKbps is calculated from name=thruput. Since it's missing, so maxKbps is not working/applied.

Reply

jstratton
Explorer
‎04-21-2025 02:33 PM
@hrawat wrote:

maxKbps is calculated from name=thruput. Since it's missing, so maxKbps is not working/applied.

Thx. Splunk is certain they will not back port the fix to 9.3.x and 9.4.x? Having per_*_thruput *and* maxKbps broken w/o the workaround seems worthy of a back port. Or at the very least, the "Known Issues" for SPL-263518 should be updated to mention maxKbps not working / applied.

0 Karma
Reply

hrawat
Splunk Employee
Splunk Employee
‎04-21-2025 02:53 PM

>maxKbps broken w/o the workaround 

Same workaround for maxKbps as well.

#Turn off a processor
[pipeline:indexerPipe]
disabled_processors= index_thruput, indexer, indexandforward, latencytracker, diskusage, signing,tcp-output-generic-processor, syslog-output-generic-processor, http-output-generic-processor, stream-output-processor, s2soverhttpoutput, destination-key-processor

  

0 Karma
Reply

hrawat
Splunk Employee
Splunk Employee
‎04-21-2025 02:38 PM

maxKbps was reported few days ago and it will be updated to known issues as well.

Reply

d16
Engager
‎01-22-2025 07:32 AM

I am a bit confused on the guidance here...

Does this re-enable the log(s) ? 

We use the file /opt/splunkforwarder/var/log/splunk/metrics.log to check on our linux UF deploys that the /var/log/messages and auditd are appearing to send with some basic foo in our deploy scripts. With the SPL-263518 this is disabled by default now and we either need to identify another method of a simple local check or we need to re-enable group=per_source_thruput so we can rely on that check

sudo grep -c /opt/splunkforwarder/var/log/splunk/metrics.log -e 'INFO  Metrics - group=per_source_thruput, series="/var/log/messages", kbps=') -ne 0

 

Is there a full writeup on SPL-263518 that has more info than the simple blurb on known-issues starting with 9.3.x? aka: was this removed for a security reason or just simply to reduce local log writes, etc? 

0 Karma
Reply

hrawat
Splunk Employee
Splunk Employee
‎01-22-2025 09:59 AM

>Does this re-enable the log(s) ? 
Yes

>we need to re-enable group=per_source_thruput so we can rely on that check

Apply the workaround.

>was this removed for a security reason or just simply to reduce local log writes, etc? 

Accidentally got removed( regression)

Reply

d16
Engager
‎01-22-2025 10:03 AM

Ah ok - that helpful info. the SPL-263518 on both 9.3 and 9.4 releases doesnt really state it was a regression and no link there explaining that...would be easier as a consumer if that SPL linked to a longer writeup/explanation.

Do you happen to know if there a plan/timeline for re-adding it?

Will it go into like 9.3.3 and 9.4.1 or will 9.3 and 9.4 just keep this regression and then 9.5 will re-add perhaps?

0 Karma
Reply

hrawat
Splunk Employee
Splunk Employee
‎01-22-2025 10:13 AM

9.5/10.0 (depending on actual future version) has the fix. Meaning the functionality is restored.
Not backported for 9.3.x/9.4.x.  

Reply

hrawat
Splunk Employee
Splunk Employee
‎10-27-2024 04:18 PM

Applying on non-UF (e.g HF) will break thruput metrics. Added warning to post. Thanks for asking great question.

Reply

gjanders
SplunkTrust
SplunkTrust
‎10-27-2024 03:44 PM

Thanks for the information, I assume the target is to fix this in a future UF 9.3.x release?

Furthermore, would you happen to know what would happen if the setting was accidentally applied on a HF?

 

Clients of our deployment server will sometimes run a Splunk enterprise version instead of a UF so I suspect we will need to be careful...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...