Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

When Linux opens files, splunk crashes due to file descriptors-How can I fix this?

Gabriel_CCI
Explorer
‎04-11-2022 01:15 PM

Dear All.
I have a problem with the number of files opened by Linux, I have set the ulimit parameter to 999999 but I still have Splunk service crashes due to file descriptors,  this happens in the Search heads, is there a way to tell Splunk not to open more files ?, I have tried with

[inputproc]
max_fd = 120000

but it keeps opening many more files

The Linux version is

Oracle Linux Server release 7.8

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

Gabriel_CCI
Explorer
‎04-29-2022 06:45 AM

How I can count the number of open files per minute by query in Splunk?

thanks

0 Karma
Reply

Gabriel_CCI
Explorer
‎04-12-2022 05:39 AM

Yes, the parameter 999999 was set for the splunk user, but it still crashes and another symptom that I have detected is that when many files are opened in the SH port 8089 is queued.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-12-2022 05:46 AM

With systemd-managed service the limits are defined in the service unit file - /etc/systemd/system/<whatever_you_called_your_service> (by default it's called Splunkd.service_<date>).

There you have whole [Service] section which contains the limits (among other things).

If you edit the file, remember to reload the systemd configuration so it picks up new settings.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-12-2022 05:41 AM

Hi @Gabriel_CCI,

the smartest solution is to open a Case to Splunk Support.

Did you used Monitor Console Health Check, to be sure that the ulimit is applied?

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-11-2022 11:34 PM

Hi @Gabriel_CCI,

did you performed the Monitor Console Health Check?

In this way you can be sure about the parameter.

Anyway, you have to configure ulimit for the user running Splunk (usually splunk or root,

in othe words, in "/etc/security/limits.conf" you have to configure (if your Splunk is running under the "splunk" user) :

splunk    hard    nofile  999999
splunk    soft    nofile  999999

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...