How to Minimize Light Forwarder Footprint?

mzorzi · ‎05-06-2010

I'm looking for a way to create a minimal light forwarder installation. What can I remove from the standard Splunk deployment to drastically reduce the disk space? Since all it does it's just forwarding data to the Indexer, I don't understand why the Light Forwarder installation has to be as large as the Indexer installation.

balbano · ‎05-12-2010

@CerielTjuh:

which indexes are ok to delete? Just curious as I am also trying to setup a very minimal installation of Splunk LF as one of my legacy servers CPU and Memory is going nuts...

Let me know more details. Thanks I appreciate the help.

Brian

CerielTjuh · ‎05-06-2010

Hi mzorzi,

I reduced my footprint by deleting the demo indexes on the forwarders, limiting the log size and log indexes and removing some of the apps, (gettingsstarted, sample app).

I deleted the indexes trough the web interface.
Log files i limited using the script below

appender.A1=RollingFileAppender appender.A1.fileName=${SPLUNK_HOME}/var/log/splunk/splunkd.log appender.A1.maxFileSize=50000000 (used to be 25 MB) appender.A1.maxBackupIndex=1 (used to be 5) appender.A1.layout=PatternLayout appender.A1.layout.ConversionPattern=%d{%m-%d-%Y %H:%M:%S.%l} %-5p %c - %m%n

Log Files Splunk Documentation

How to Minimize Light Forwarder Footprint?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?