Getting Data In

optimize/limit metrics data sent from forwarders

henryfox
Engager

We have a large number of Forwarders and would like to optimize the metrics data sent from them to the internal index.

The main goal is to have the a reasonable size of the index and still have enough data to search.

Is there a way to aggregate increase the sampling rate ? 

There is a setting in limits.conf 

[metrics]
interval = 30
masxeries = 10

increasing the pooling interval between samples from 30 seconds to lets say to 90 would decrease sampling and save some storage, right?

thansk for any hint.

 

 

 

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

If you're certain the data you want to change is in _internal then use limits.conf.  IME, customers get a ton of data from perfmon inputs and that is configured in inputs.conf.  It comes down to whether to refer to "metrics" or "Metrics".

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The setting you want to change is indeed called "interval", but it's in inputs.conf.  You'll need to change the setting for each perfmon stanza.  Yes, changing from 30 to 90 seconds will decrease sampling and save storage.

---
If this reply helps you, Karma would be appreciated.
0 Karma

henryfox
Engager

hi! the  documentation in  https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Limitsconf

specifies that the interval for metrics.log for _internal index is specified in the  limits.conf section.

or I'm i reading it wrong?

ty

[metrics]

interval = <integer>
* Number of seconds between logging splunkd metrics to metrics.log.
* Minimum of 10.
* Default: 30

maxseries = <integer>
* The number of series to include in the per_x_thruput reports in metrics.log.
* Default: 10

  

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you're certain the data you want to change is in _internal then use limits.conf.  IME, customers get a ton of data from perfmon inputs and that is configured in inputs.conf.  It comes down to whether to refer to "metrics" or "Metrics".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...