Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk UF performance issue, not forward all logs data

arun_kant_sharm
Path Finder
‎03-13-2020 03:48 AM

Hi Experts,

In my NFS server, Splunk UF is installed. That NFS server is basically a log storage server,
log rotation daemon also running on that server that convert file to gzip file after 24 hours, in same location.
NFS server is a single server, and it have really big amount of data.

But some time my UF don't forward some files data from NFS server to my Indexers server.
Many files remain missing in my Splunk indexers.

Following parameters are same for many of the sourcetype in props.conf ( Yes, many events are really big)
TRUNCATE = 20000
MAX_EVENTS = 512
BREAK_ONLY_BEFORE = < [Set] >

Please suggest how I improve my UF performance.

Labels (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎03-14-2020 10:38 AM

You have to have good hygiene for old logs. Hundreds of co-resident logs is fine, thousands is risky, above that you will experience a total breakdown in the UF's ability to search through them and send updates in a timely manner. Even if the *.tgz does not match your monitor pattern, they will still cause this problem unless you MOVE THEM SOMEWHERE ELSE.

Reply

wmyersas
Builder
‎03-13-2020 06:10 AM

What do the inputs.conf entries look like?

What is the system load on your log aggregator?

How big is your Splunk env?

What network components (firewalls, load balancers, etc) are between the collector and Splunk?

0 Karma
Reply

arun_kant_sharm
Path Finder
‎03-13-2020 11:55 PM

In my splunk env I have one NFS server (for log collection), in that server UF is installed. That contain input.conf file, props.conf . file. In input.conf file, we have to monitor some directory that forward data to particular Index, using sourcetype define in props.conf.

That NFS server is on premise server, its forward data on 6 indexer, indexer are EC2 instances, that share same AWS- route53 , in round-robin technique (So no ALB/NLB/ELB in between indexers). Yes I can manage that NFS server also using one Splunk-Master server. Indexer cold and frozen bucket are AWS-EFS drives, that are same between all indexers. Apart of this some Search Head servers, yes SH connected to ALB and then route 53.

In indexer server I continuously store data of other on premise servers, AWS-Servers, Openshift Server, DB Servers, SysLogs servers.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...