Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

High IOPS on target NAS

selvig
Engager
‎12-06-2012 11:17 AM

We're running Splunk 4.3.3 on a Linux box. The target log files are on a NetApp NAS, accessed by Splunk through an NFS mount. The target log files are Java application server log4j logs. The naming convention is such that the current log is always -.log, and Splunk is set to use that as its data source, eg it is only targetting that one file per data input, as opposed to looking at everything after the /.
What we're seeing is that the Splunk user account shows up as the top IOPS consumer on the NetApp. Why is this so high, and are there any ways to reduce this? We could move to another OS for the Splunk indexers, as there's some thought that Solaris might read the logs more efficiently. Is there any advantage in using followtail = 0 versus followtail = 1? Any other suggestions?

Tags (2)
0 Karma
Reply

RicoSuave
Builder
‎12-06-2012 12:31 PM

Follow tail and when to use it has been discussed at great lengths here: http://splunk-base.splunk.com/answers/57819/when-is-it-appropriate-to-set-followtail-to-true

As for the IOPS well this will be normal since you are reading data from the NAS. This should be mostly Read operations and if this log file is big and this is the first time indexing it then splunk will read it as fast as it can. If this is a forwarder you can limit how fast it reads the file, subsequently lessening the load by adjusting the thruput attribute in limits.conf. On a forwarder it defaults to 256, unlimited on indexer.

Reply

RicoSuave
Builder
‎12-06-2012 12:47 PM

I answered first, so accept this answer. 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...