Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

splunk forwarder maximum monitored file limit?

JasonCzerak
Explorer
‎09-03-2012 10:11 PM

Is there a max file count a single forwarder can monitor? I have some oracle applications that generate 10,000's of new files daily, various sizes. I have a dedicated host that has these shared mounts mounted up and just scanning for new data. Every how and again it crashes the box. I can't seem to make anything out on the console.

Am I running into some sort of file limit?

Tags (1)
Reply

dart
Splunk Employee
Splunk Employee
‎09-04-2012 08:20 AM

Can you use a local forwarder on the source data, so we can determine if it's Splunk or mount related issues?

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎09-04-2012 12:39 PM

The Splunk on Splunk app will give you an idea of what's causing the queue blockage.
It's possible for a single Universal Forwarder to saturate an indexer if it has sufficient event throughput.

0 Karma
Reply

JasonCzerak
Explorer
‎09-04-2012 10:59 AM

09-04-2012 00:10:36.644 -0500 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...
09-04-2012 00:10:37.836 -0500 INFO TailingProcessor - ...continuing.

0 Karma
Reply

JasonCzerak
Explorer
‎09-04-2012 10:14 AM

For one of the data sources, I have, and it works just fine with about 100,000 files. It's when I added several other data sources it broke down.

I do have these errors in splunkd.log that I've just noticed:
09-04-2012 03:06:06.730 -0500 INFO TailingProcessor - File descriptor cache is full (100), trimming...

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...