Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the max file size that a universal forwarder can input via a batch stanza?

mdwecht
Path Finder
‎12-11-2019 08:34 AM

Splunk universal forwarder inputs.conf batch stanza is attempting to read CSV files that range in size from a 10MB to 2GB.
On the forwarder the splunkd.log shows "Stale file handle" and "CRC calculation" related warnings and errors on the larger files

i.e. 800MB and 1.4GB.
The files are not indexed and then they are deleted.

Are there hard or configured file size limits?
and/or What might cause these issues other than file size?

0 Karma
Reply

BainM
Communicator
‎12-11-2019 09:34 AM

HI mdwecht-
File size should not really matter at all. It's all about throughput and events (IMHO).
Do your CSV files have multiple events or are they seen as one giant event? You might have to experiment with smaller chunks fo the same data in another CSV file to see how the events are appearing in Splunk.

For "Speed" - You may want to adjust this setting:
[thruput]
maxKBps =
in limits.conf file. There should be a default on on the forwarder:

$SPLUNK_HOME/etc/system/default/

But, make sure to only alter the ../local directory. If the limits.conf file is not there, just create one with the stanza I specified.
Ref: link text

For the CRC Calc errors, are you altering the file in any manner? If the file is altered before Splunk can finish reading it through, that can be an issue:
Reference: link text

Hope this helps,
Mike

0 Karma
Reply

mdwecht
Path Finder
‎12-11-2019 01:25 PM

The CSV files have an event per line, when the smaller files of same sourcetype are read and indexed the events look fine in splunk, universal forwarders out of the box are throughput limited so we always set maxKBps = 0. The actual warnings/errors I get are "WARN FileInputTracker - Error reading CRC: Stale file handle" and/or "ERROR WatchedFile - Error reading file". The files are not in motion when Splunk is reading them. They are delivered to a folder via nifi safe write i.e. COPIED into the folder named with a preceding "." and then MOVED to the name the Splunk inputs.conf batch stanza is looking for without the preceding ".".

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...