Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why are the ulimits set correctly, not showing in splunk web?

TaraPennington
Loves-to-Learn Lots
‎01-22-2021 09:56 AM

I'm working on the initial set up of splunk single instance on prem and I haven't been able to get data in yet. I have installed the universal forwarder on 2 windows servers and installed the add on for windows on those servers. I get this message in the monitoring console.

ulimits.data_segment_size (current / recommended) ulimits.open_files (current / recommended) ulimits.user_processes (current / recommended)
-1 4096 / 64000 47318 / 16000

 

Then when I log onto the Cent OS server and look at ulimits and they are set as the recommended minimum values.

 

ulimits on server.PNG

How can I get the Splunk web to recognize how these settings are set on the server?

Labels (3)
Tags (1)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-25-2021 12:16 PM

Hi @TaraPennington,

Can you try restarting the server? 

https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/ulimitErrors#Set_limits_using_.2...

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

TaraPennington
Loves-to-Learn Lots
‎01-25-2021 12:43 PM

I rebooted the server and still seeing the same messages in splunk web. Do I need to also change these settings from the link you sent? 

Set limits using the /etc/systemd configuration files

Tags (1)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-25-2021 01:03 PM

If Splunk is running under systemd , it will help.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

TaraPennington
Loves-to-Learn Lots
‎01-26-2021 08:48 AM

I added these lines at the end of the /etc/security/limits.conf on the root profile, I'm still getting the same message.

TaraPennington_0-1611679553758.png

I didn't configure splunk to run on the systemd, so I didn't add those other settings.

This is how the bottom of the file looks, I'm not sure if these are entered correctly.

TaraPennington_1-1611679710764.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-22-2021 10:05 AM

Hi @TaraPennington,

for which user did you setted your ulimits?

You have to se it for te user who runs splunk process (usually root or splunk).

Ciao.

Giuseppe

0 Karma
Reply

TaraPennington
Loves-to-Learn Lots
‎01-22-2021 11:15 AM

It was using the root user account.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-22-2021 02:27 PM

Hi @TaraPennington,

did you configured ulimit in /etc/security/limits.conf ?
if not, you have to insert at the end of this file:

root hard nofile 64000
root soft nofile 64000

then exit from the user or restart Splunk.

Ciao.

Giuseppe

0 Karma
Reply

TaraPennington
Loves-to-Learn Lots
‎01-25-2021 09:48 AM

ulimits setulimits set

I believe I added those two lines to the end of the /etc/security/limits.conf correctly

I saved this and restarted splunk and am still getting the same message about ulimits.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-25-2021 11:34 PM

hi @TaraPennington,

to apply the updates, you have to:

  • exit the user,
  • access again,
  • restart Splunk.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
li.common.scroll-to.top