Solved: Splunk universal forwarder performance

wsweat · ‎08-25-2012

Hello,

Is there a performance guide for the universal forwarder (v 4.3.3)?

The indexer is running at 2 events per second and I'm only running one universal forwarder. The indexer has 16 cores and 16GB of mem and I'm having the forwarder send over a dozen, or so, files that range from a 100MB - 20GB. Both systems are underutilized for both memory and cpu (server load is around 0.5 on both).

Thanks

_d_ · ‎08-25-2012

There is no guide, but in terms of thruput note the following:

A Universal Forwarder is capable of outputting at a much higher rate than a typical indexer can properly ingest.
A Universal Forwarder's default thruput is capped at 256KBps:

$SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/default/limits.conf [thruput] maxKBps = 256

Hope this helps.

d.

View solution in original post

_d_ · ‎08-25-2012

There is no guide, but in terms of thruput note the following:

A Universal Forwarder is capable of outputting at a much higher rate than a typical indexer can properly ingest.
A Universal Forwarder's default thruput is capped at 256KBps:

$SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/default/limits.conf [thruput] maxKBps = 256

Hope this helps.

d.

wsweat · ‎08-25-2012

I was looking in the $SPLUNK_HOME/etc/system/default/limits.conf file and didn't look in that directory.

I've made the change to 1024 and see the increased indexer activity.

Thanks!

Splunk universal forwarder performance

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation