What is the default thruput limit and what queue s...

robf · ‎06-04-2015

What is the default for thruput as it's not specified?

[thruput]
maxKBps = <integer>
 If specified and not zero, this limits the speed through the thruput processor to the specified 
rate in kilobytes per second.
 To control the CPU load while indexing, use this to throttle the number of events this indexer 
processes to the rate (in KBps) you specify.

What queue size increases are recommended for a busy Windows Universal Forwarder? Shat is the negative impact of having big queues?

yannK · ‎06-13-2015

Remark :
Please do not thing that increasing the queue size will resolve this issue permanently.

You want to allow faster speed instead.

256 KBps will allow the FWD to do up to 115Mb per hour.
https://www.google.com/search?btnG=1&pws=0&q=256+kbps+to+mb+per+hour&gws_rd=ssl

So if you are monitoring a very busy instance (like a windows DC), you have to bump or remove the limit.

you can work by increments. By example 1024KBps, then 2048Kbps etc... until you do not see a huge delay in the indexing of the events
or remove the limit (maxKBps=0), and check the results in metrics.log.

If you have no idea of the actual average volume or delay, check this guide :
http://docs.splunk.com/Documentation/Splunk/6.2.3/Troubleshooting/Troubleshootingeventsindexingdelay

ppablo · ‎06-04-2015

Hi @robf

According to this page from documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Troubleshooting/Troubleshootingeventsindexingdelay...
the default thruput limit is 256KBps. As for the recommendations and negative impacts on queue size, I have no clue, so hopefully someone well versed in that area will come along and help you out.

What is the default thruput limit and what queue size increases are recommended for a busy Windows universal forwarder?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life