Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

When Linux opens files, splunk crashes due to file descriptors-How can I fix this?

Gabriel_CCI
Explorer
‎04-11-2022 01:15 PM

Dear All.
I have a problem with the number of files opened by Linux, I have set the ulimit parameter to 999999 but I still have Splunk service crashes due to file descriptors,  this happens in the Search heads, is there a way to tell Splunk not to open more files ?, I have tried with

[inputproc]
max_fd = 120000

but it keeps opening many more files

The Linux version is

Oracle Linux Server release 7.8

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

Gabriel_CCI
Explorer
‎04-29-2022 06:45 AM

How I can count the number of open files per minute by query in Splunk?

thanks

0 Karma
Reply

Gabriel_CCI
Explorer
‎04-12-2022 05:39 AM

Yes, the parameter 999999 was set for the splunk user, but it still crashes and another symptom that I have detected is that when many files are opened in the SH port 8089 is queued.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-12-2022 05:46 AM

With systemd-managed service the limits are defined in the service unit file - /etc/systemd/system/<whatever_you_called_your_service> (by default it's called Splunkd.service_<date>).

There you have whole [Service] section which contains the limits (among other things).

If you edit the file, remember to reload the systemd configuration so it picks up new settings.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-12-2022 05:41 AM

Hi @Gabriel_CCI,

the smartest solution is to open a Case to Splunk Support.

Did you used Monitor Console Health Check, to be sure that the ulimit is applied?

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-11-2022 11:34 PM

Hi @Gabriel_CCI,

did you performed the Monitor Console Health Check?

In this way you can be sure about the parameter.

Anyway, you have to configure ulimit for the user running Splunk (usually splunk or root,

in othe words, in "/etc/security/limits.conf" you have to configure (if your Splunk is running under the "splunk" user) :

splunk    hard    nofile  999999
splunk    soft    nofile  999999

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...