Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the default thruput limit and what queue size increases are recommended for a busy Windows universal forwarder?

robf
Path Finder
‎06-04-2015 03:17 AM

What is the default for thruput as it's not specified?

[thruput]
maxKBps = <integer>
 If specified and not zero, this limits the speed through the thruput processor to the specified 
rate in kilobytes per second.
 To control the CPU load while indexing, use this to throttle the number of events this indexer 
processes to the rate (in KBps) you specify.

What queue size increases are recommended for a busy Windows Universal Forwarder? Shat is the negative impact of having big queues?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎06-13-2015 08:44 PM

Remark :
Please do not thing that increasing the queue size will resolve this issue permanently.

You want to allow faster speed instead.

256 KBps will allow the FWD to do up to 115Mb per hour.
https://www.google.com/search?btnG=1&pws=0&q=256+kbps+to+mb+per+hour&gws_rd=ssl

So if you are monitoring a very busy instance (like a windows DC), you have to bump or remove the limit.

  • you can work by increments. By example 1024KBps, then 2048Kbps etc... until you do not see a huge delay in the indexing of the events
  • or remove the limit (maxKBps=0), and check the results in metrics.log.

If you have no idea of the actual average volume or delay, check this guide :
http://docs.splunk.com/Documentation/Splunk/6.2.3/Troubleshooting/Troubleshootingeventsindexingdelay

Reply

ppablo
Retired
‎06-04-2015 10:58 AM

Hi @robf

According to this page from documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Troubleshooting/Troubleshootingeventsindexingdelay...
the default thruput limit is 256KBps. As for the recommendations and negative impacts on queue size, I have no clue, so hopefully someone well versed in that area will come along and help you out.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...