Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk universal forwarer thruput and internal Splunk log

lukasmecir
Path Finder
‎06-29-2021 04:22 AM

Hello,

I have question about [thruput] setting on UF and internal Splunk log:

I did some tests with Splunk UF - I needed to simulate a problem with the tcpout queue and therefore I reduced the value of the parameter
[thruput]
maxKBps = <integer>
in the limits.conf file to low KBps values (eg 3KBps). UF is set to send its internal logs to IDX. However, I noticed that with such a low value of this parameter, UF stopped sending its internal metric logs (ie the contents of the $ SPLUNK_HOME/var/log/splunk/metrics.log file) to IDX. Logs were further written to the $ SPLUNK_HOME/var/log/splunk/metrics.log file, but were not sent to IDX. Is this normal behavior? It looks as if there is a mechanism that prioritizes the data collected over internal Splunk logs and suppresses the sending of internal Splunk logs to IDX - is it really so, is there such a mechanism?
I tried to find something about it in the documentation, but without success. Thank you in advance for any information.

Best regards

Lukas Mecir

0 Karma
Reply

lukasmecir
Path Finder
‎07-07-2021 02:07 AM

Hi @venkatasri 

thank for your input. I set thruput setting in /system/local/limits.conf and observed behavior as described in my first post. To be clear - I do not complain about UF stopped sending its internal metric logs with low thruput. In fact, from my point of view it makes sense. I would just like someone who knows things to confirm that there is really such a mechanism in Spluk, and that this is therefore expected and correct behavior.

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎06-30-2021 06:37 PM

Hi @lukasmecir 

There is no explicit mention of which inputs conf stanzas takes priority when thruput is low. thruput on UF default is 256. I believe it should still be ingesting metrics logs but at very slow rate and as you know they are under /system/default. 

Your custom data inputs could be under /system/local or /app/local those are precedence over /default where splunk _internal logs being set to monitor.

You can try moving custom data inputs conf to /system/default and similarly move metrics related conf to system or app/local and give a try. Try this command ./splunk list inputstatus to find the reason/where they have left to monitor.

---

An upvote would be appreciated and Accept solution if it helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...