Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Re: Considerations regarding system-wide resource ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Splunk Admins
Just looking for some advice around setting the data segment size (ulimit -d) in Splunk, on a Linux server (RHEL).
Older documentation (v7.3) recommended setting this value to basically be an unlimited size, with a Kibibyte value of 1073741824 or ~1TB.
https://docs.splunk.com/Documentation/Splunk/7.3.8/Installation/Systemrequirements#Considerations_re...
| Data segment size | ulimit -d | 1073741824 |
I see the v8.x documentation has now changed the data segment size recommendation to be more a general guideline, with an 8GB example.
| Data segment size | ulimit -d | The maximum RAM you want Splunk Enterprise to allocate in kilobytes. For example, 8GB is 8000000. |
It appears Splunk do not really have a strong opinion on a minimum size now either. I think on RHEV Linux, the data segment size just defaults to unlimited anyway, or at least on our VM servers it does.
I don't believe setting this value alone helps protect Splunk from excessive memory use either. From what I can tell with googling about data segments, if it was indeed set to a value, then it does not even need to be set to an excessively large value. Happy to admit I'm no expert though.
Anyway, just wondering if anyone has some experience with setting this value in their environments, or even a view if this data segment size limit even really needs to be set at all - on Linux at least.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Will answer my own question.
I raised a case with Splunk and they basically came back and said they set their Linux servers to be unlimited for the data segment size value (ulimit -d unlimited).
# vi /etc/security/limits.conf
...<snip>...
# Data segment size: ulimit -d
splunk soft data unlimited
splunk hard data unlimited
Note, if using systemd then will be set under /etc/systemd/system/Splunkd.service - refer to doc links in question section.
Not sure why Splunk docs don't just specify the same unlimited value, as the current recommendation is vague and more confusing than useful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Will answer my own question.
I raised a case with Splunk and they basically came back and said they set their Linux servers to be unlimited for the data segment size value (ulimit -d unlimited).
# vi /etc/security/limits.conf
...<snip>...
# Data segment size: ulimit -d
splunk soft data unlimited
splunk hard data unlimited
Note, if using systemd then will be set under /etc/systemd/system/Splunkd.service - refer to doc links in question section.
Not sure why Splunk docs don't just specify the same unlimited value, as the current recommendation is vague and more confusing than useful.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
