Monitoring Splunk
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Universal Forwarder Only Sends data once on Monitor Input config followed by Restart

ssadh_splunk
Splunk Employee
Splunk Employee
‎08-28-2019 03:05 AM

I have a UF installed(v7.3.1) on CentOS with ulimits configured for max open files etc.

the file monitor input stanza looks as below:

[monitor:///<path_to_log_file>/*.log]
disabled = false
host_segment = 4
index = <index-name>
sourcetype = srctype
ignoreOlderThan = 1h

there are logs coming in at very high speed so the rsyslog creates a new file every 15mins, Hence the ignoreolderthan 1H clause is used .

Each time i configure a monitor stanza & restart UF.
It reads the files & sends it to the indexer. But after that, it doesn't forward any data.

UF splunkd.log stated that it was taking some huge files into batch mode & that maxKBPs limit had reached.
So I changed the limit.conf to set maxKBPs to 0.
There is no other error in Splunkd.log at UF & it still seems to be showcasing the same behavior.

Any pointers on how to resolve this or what else to look for?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ssadh_splunk
Splunk Employee
Splunk Employee
‎08-28-2019 04:50 AM

Closing this as setting maxKBPs to zero in limits on UF fixed the issue.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ssadh_splunk
Splunk Employee
Splunk Employee
‎08-28-2019 04:50 AM

Closing this as setting maxKBPs to zero in limits on UF fixed the issue.

0 Karma
Reply
Solved! Jump to solution

lmethwani_splun
Splunk Employee
Splunk Employee
‎08-28-2019 03:42 AM

@ssadh_splunk , As you mentioned rsyslog creates new file every 15 mins, can you try and increase the ignoreOlderThan parameter by 1 more hour?
For using wildcards, just make sure you are defining in correct manner.
Ref Doc: https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards

Apart from that, configuration looks okay. The log files should get monitored continuously.

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎08-28-2019 03:37 AM

If you have monitoring console set, please check indexing performance on indexers. Is any indexing queue is getting full?

0 Karma
Reply
Solved! Jump to solution

ssadh_splunk
Splunk Employee
Splunk Employee
‎08-28-2019 04:13 AM

So it seems like changing the maxKBPs limit to unlimited(0) fixed the problem.

Looks like UF was choking the default 256Kbps bandwidth once it picked up a huge file(~400MB).
I set the limits to 0 just before posting the question. Monitored this for about ~1.5hrs. Forwarder is reading & sending data across.

0 Karma
Reply
Get Updates on the Splunk Community!

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...
Top