Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Universal Forwarder Only Sends data once on Monitor Input config followed by Restart

ssadh_splunk
Splunk Employee
Splunk Employee
‎08-28-2019 03:05 AM

I have a UF installed(v7.3.1) on CentOS with ulimits configured for max open files etc.

the file monitor input stanza looks as below:

[monitor:///<path_to_log_file>/*.log]
disabled = false
host_segment = 4
index = <index-name>
sourcetype = srctype
ignoreOlderThan = 1h

there are logs coming in at very high speed so the rsyslog creates a new file every 15mins, Hence the ignoreolderthan 1H clause is used .

Each time i configure a monitor stanza & restart UF.
It reads the files & sends it to the indexer. But after that, it doesn't forward any data.

UF splunkd.log stated that it was taking some huge files into batch mode & that maxKBPs limit had reached.
So I changed the limit.conf to set maxKBPs to 0.
There is no other error in Splunkd.log at UF & it still seems to be showcasing the same behavior.

Any pointers on how to resolve this or what else to look for?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ssadh_splunk
Splunk Employee
Splunk Employee
‎08-28-2019 04:50 AM

Closing this as setting maxKBPs to zero in limits on UF fixed the issue.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ssadh_splunk
Splunk Employee
Splunk Employee
‎08-28-2019 04:50 AM

Closing this as setting maxKBPs to zero in limits on UF fixed the issue.

0 Karma
Reply
Solved! Jump to solution

lmethwani_splun
Splunk Employee
Splunk Employee
‎08-28-2019 03:42 AM

@ssadh_splunk , As you mentioned rsyslog creates new file every 15 mins, can you try and increase the ignoreOlderThan parameter by 1 more hour?
For using wildcards, just make sure you are defining in correct manner.
Ref Doc: https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards

Apart from that, configuration looks okay. The log files should get monitored continuously.

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎08-28-2019 03:37 AM

If you have monitoring console set, please check indexing performance on indexers. Is any indexing queue is getting full?

0 Karma
Reply
Solved! Jump to solution

ssadh_splunk
Splunk Employee
Splunk Employee
‎08-28-2019 04:13 AM

So it seems like changing the maxKBPs limit to unlimited(0) fixed the problem.

Looks like UF was choking the default 256Kbps bandwidth once it picked up a huge file(~400MB).
I set the limits to 0 just before posting the question. Monitored this for about ~1.5hrs. Forwarder is reading & sending data across.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...