Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the default thruput limit and what queue size increases are recommended for a busy Windows universal forwarder?

robf
Path Finder
‎06-04-2015 03:17 AM

What is the default for thruput as it's not specified?

[thruput]
maxKBps = <integer>
 If specified and not zero, this limits the speed through the thruput processor to the specified 
rate in kilobytes per second.
 To control the CPU load while indexing, use this to throttle the number of events this indexer 
processes to the rate (in KBps) you specify.

What queue size increases are recommended for a busy Windows Universal Forwarder? Shat is the negative impact of having big queues?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎06-13-2015 08:44 PM

Remark :
Please do not thing that increasing the queue size will resolve this issue permanently.

You want to allow faster speed instead.

256 KBps will allow the FWD to do up to 115Mb per hour.
https://www.google.com/search?btnG=1&pws=0&q=256+kbps+to+mb+per+hour&gws_rd=ssl

So if you are monitoring a very busy instance (like a windows DC), you have to bump or remove the limit.

  • you can work by increments. By example 1024KBps, then 2048Kbps etc... until you do not see a huge delay in the indexing of the events
  • or remove the limit (maxKBps=0), and check the results in metrics.log.

If you have no idea of the actual average volume or delay, check this guide :
http://docs.splunk.com/Documentation/Splunk/6.2.3/Troubleshooting/Troubleshootingeventsindexingdelay

Reply

ppablo
Retired
‎06-04-2015 10:58 AM

Hi @robf

According to this page from documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Troubleshooting/Troubleshootingeventsindexingdelay...
the default thruput limit is 256KBps. As for the recommendations and negative impacts on queue size, I have no clue, so hopefully someone well versed in that area will come along and help you out.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...