Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

forwarders constantly running

jszyba
New Member
‎03-19-2014 07:25 AM

Is there any way to have a forwarder process not constantly running but rather start up every x hours or so? I'm trying to avoid tying up to many resources on the server as the Splunk universal service seems to constantly consume 65MB of memory.

Tags (2)
0 Karma
Reply

kaufmanm
Communicator
‎03-19-2014 09:26 AM

jayzba, one way to do this would be with Windows scheduled tasks or Linux's cron.

In Windows, you'd write two .cmd batch files, one that stops the service and one that starts the service.

stopSplunk.cmd would contain:
sc stop UniversalForwarder

startSplunk.cmd would contain
sc start UniversalForwarder

Then you'd schedule startSplunk to run at the top of every hour and run stopSplunk five minutes after every hour, or whatever particular times you're okay with Splunk running. e.g. If it can't run during business hours you could use these to start Splunk once a day in the middle of night or such.

In Linux you could put the command directly into cron:
0 * * * * * * * /opt/splunkforwarder/bin/splunk start
5 * * * * * * * /opt/splunkforwarder/bin/splunk stop

Reply

kaufmanm
Communicator
‎03-19-2014 10:11 AM

Splunk is stopped, but Scheduled Tasks or cron respectively are not, and will run the scripts or commands when the time comes.

Reply

aelliott
Motivator
‎03-19-2014 07:36 AM

you may be able to lower resources by only allowing a certain amount of traffic through:
http://answers.splunk.com/answers/53138/maximum-traffic-of-a-universal-forwarder

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎03-19-2014 07:36 AM

Hi jszyba,

sure, you can start and stop the universal forwarder for example by cron. The UF will pick up reading files where it left. The amount of memory used by the UF is mainly driven by the amount of files monitored by the UF, for example directories with a large number of files in it like rotated logs. Try to set your UF only to monitor the most recent files you need and set it to ignore rotated files by using for example ignoreOlderThan in inputs.conf or set the monitor stanza to the log file name you need.

hope this helps ...

cheers, MuS

Reply

jszyba
New Member
‎03-19-2014 08:18 AM

Can you give me an example of how I would start the UF every hour or so?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...