Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

High IOPS on target NAS

selvig
Engager
‎12-06-2012 11:17 AM

We're running Splunk 4.3.3 on a Linux box. The target log files are on a NetApp NAS, accessed by Splunk through an NFS mount. The target log files are Java application server log4j logs. The naming convention is such that the current log is always -.log, and Splunk is set to use that as its data source, eg it is only targetting that one file per data input, as opposed to looking at everything after the /.
What we're seeing is that the Splunk user account shows up as the top IOPS consumer on the NetApp. Why is this so high, and are there any ways to reduce this? We could move to another OS for the Splunk indexers, as there's some thought that Solaris might read the logs more efficiently. Is there any advantage in using followtail = 0 versus followtail = 1? Any other suggestions?

Tags (2)
0 Karma
Reply

RicoSuave
Builder
‎12-06-2012 12:31 PM

Follow tail and when to use it has been discussed at great lengths here: http://splunk-base.splunk.com/answers/57819/when-is-it-appropriate-to-set-followtail-to-true

As for the IOPS well this will be normal since you are reading data from the NAS. This should be mostly Read operations and if this log file is big and this is the first time indexing it then splunk will read it as fast as it can. If this is a forwarder you can limit how fast it reads the file, subsequently lessening the load by adjusting the thruput attribute in limits.conf. On a forwarder it defaults to 256, unlimited on indexer.

Reply

RicoSuave
Builder
‎12-06-2012 12:47 PM

I answered first, so accept this answer. 😉

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...