Re: UF on a machine with Compact Flash Card

markiemarkos · ‎12-10-2012

I am wondering if there is a particular configuration for running the universal forwarder on a machine with limited resources and a CF card for it's disk storage, obviously I want to reduce the number of writes to the card. Is it possible to have the Splunk DB run in RAM memory instead of disk (windows XP embedded OS)?

Additionally will the UF client store events while the receiving indexer is offline?

Many thanks

yannK · ‎12-11-2012

hints :

go to $SPLUNK_HOME/etc/log.cfg and reduce the number and size of the splunk internal logs to restrain them.
the only "database" of the forwarder is the fishbucket index used to keep track of the files monitored, it is persistent and will grow proportionally of the number of files monitored.
I do not know any way to have it run in memory, and it has to be on disk for persistence.
about the queues, by default they are very small, and in memory, if the indexer is blocked, the forwarder will simply pause the monitoring.

yannK · ‎12-12-2012

It basically keep the pointer on the last line from the files that were monitored, and resume once the forwarding is restored. (and discover new files)

Ayn · ‎12-12-2012

Yes, it will.

markiemarkos · ‎12-11-2012

"the forwarder will simply pause the monitoring."

Sorry for the request for clarification - so it doesn't forward the event which occured while the client was disconnected?

UF on a machine with Compact Flash Card

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation