Getting Data In

What should the forwarder ulimit -s be?

ddrillic
Ultra Champion

When bringing up a new forwarder, it says -

WARNING: Stack size limit (ulimit -s) is set low (2097152 bytes) Splunk may not work.
You may want to run "ulimit -s unlimited" before starting splunk. 

We see -

[splnkfwd@apsrs3949 dan]$ ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
scheduling priority             (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) 96030
max locked memory       (kbytes, -l) 64
max memory size         (kbytes, -m) unlimited
open files                      (-n) 4096
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) 819200
real-time priority              (-r) 0
stack size              (kbytes, -s) 2048
cpu time               (seconds, -t) unlimited
max user processes              (-u) 5120
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

How should we set ulimit and specifically ulimit -s? assuming ulimit -s unlimited is not doable...

0 Karma
1 Solution

woodcock
Esteemed Legend

This setting on the forwarder should be set to accommodate the native function of that server and not to accommodate the splunk forwarder client. The Splunk forwarder client imposes no significant impact to inodes, so as long as your native function is OK, then you should not have to concern yourself with updating this setting when you install the splunk forwarder client. Do you have reason to suspect there is a problem on your forwarder? Of course, if your forwarder exists only for the purpose of being a forwarder and is simply a dumping-ground/way-station for files from other systems to be forwarded into Splunk, then I would say ulimit -s unlimited is the way to go. Why is this not an option?

View solution in original post

woodcock
Esteemed Legend

This setting on the forwarder should be set to accommodate the native function of that server and not to accommodate the splunk forwarder client. The Splunk forwarder client imposes no significant impact to inodes, so as long as your native function is OK, then you should not have to concern yourself with updating this setting when you install the splunk forwarder client. Do you have reason to suspect there is a problem on your forwarder? Of course, if your forwarder exists only for the purpose of being a forwarder and is simply a dumping-ground/way-station for files from other systems to be forwarded into Splunk, then I would say ulimit -s unlimited is the way to go. Why is this not an option?

ddrillic
Ultra Champion

Thank you woodcock! About setting 'ulimit -s unlimited' - we work with all kinds of SAa and it might be an issue or not. The forwarder on this server crashed once already since it was installed just a couple of days ago, so I wonder what the recommendation is in case 'ulimit -s unlimited' is not doable.

0 Karma

woodcock
Esteemed Legend

Did it crash because it ran out of inodes? Why would unlimited be a problem? Unless you have a reason to limit inodes, IMHO, you should not do so because miscalculations (shortages) usually cause surprise outages (as you may be experiencing).

0 Karma
Get Updates on the Splunk Community!

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...