Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the default thruput limit and what queue size increases are recommended for a busy Windows universal forwarder?

robf
Path Finder
‎06-04-2015 03:17 AM

What is the default for thruput as it's not specified?

[thruput]
maxKBps = <integer>
 If specified and not zero, this limits the speed through the thruput processor to the specified 
rate in kilobytes per second.
 To control the CPU load while indexing, use this to throttle the number of events this indexer 
processes to the rate (in KBps) you specify.

What queue size increases are recommended for a busy Windows Universal Forwarder? Shat is the negative impact of having big queues?

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎06-13-2015 08:44 PM

Remark :
Please do not thing that increasing the queue size will resolve this issue permanently.

You want to allow faster speed instead.

256 KBps will allow the FWD to do up to 115Mb per hour.
https://www.google.com/search?btnG=1&pws=0&q=256+kbps+to+mb+per+hour&gws_rd=ssl

So if you are monitoring a very busy instance (like a windows DC), you have to bump or remove the limit.

  • you can work by increments. By example 1024KBps, then 2048Kbps etc... until you do not see a huge delay in the indexing of the events
  • or remove the limit (maxKBps=0), and check the results in metrics.log.

If you have no idea of the actual average volume or delay, check this guide :
http://docs.splunk.com/Documentation/Splunk/6.2.3/Troubleshooting/Troubleshootingeventsindexingdelay

Reply

ppablo
Retired
‎06-04-2015 10:58 AM

Hi @robf

According to this page from documentation:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Troubleshooting/Troubleshootingeventsindexingdelay...
the default thruput limit is 256KBps. As for the recommendations and negative impacts on queue size, I have no clue, so hopefully someone well versed in that area will come along and help you out.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...