Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

What is the default thruput limit and what queue size increases are recommended for a busy Windows universal forwarder?

robf
Path Finder
‎06-04-2015 03:17 AM

What is the default for thruput as it's not specified?

[thruput]
maxKBps = <integer>
 If specified and not zero, this limits the speed through the thruput processor to the specified 
rate in kilobytes per second.
 To control the CPU load while indexing, use this to throttle the number of events this indexer 
processes to the rate (in KBps) you specify.

What queue size increases are recommended for a busy Windows Universal Forwarder? Shat is the negative impact of having big queues?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎06-13-2015 08:44 PM

Remark :
Please do not thing that increasing the queue size will resolve this issue permanently.

You want to allow faster speed instead.

256 KBps will allow the FWD to do up to 115Mb per hour.
https://www.google.com/search?btnG=1&pws=0&q=256+kbps+to+mb+per+hour&gws_rd=ssl

So if you are monitoring a very busy instance (like a windows DC), you have to bump or remove the limit.

  • you can work by increments. By example 1024KBps, then 2048Kbps etc... until you do not see a huge delay in the indexing of the events
  • or remove the limit (maxKBps=0), and check the results in metrics.log.

If you have no idea of the actual average volume or delay, check this guide :
http://docs.splunk.com/Documentation/Splunk/6.2.3/Troubleshooting/Troubleshootingeventsindexingdelay

Reply

ppablo
Retired
‎06-04-2015 10:58 AM

Hi @robf

According to this page from documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Troubleshooting/Troubleshootingeventsindexingdelay...
the default thruput limit is 256KBps. As for the recommendations and negative impacts on queue size, I have no clue, so hopefully someone well versed in that area will come along and help you out.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...