Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how can I improve indexing performance of Splunk monitoring huge number of fies?

Takajian
Builder
‎04-04-2013 02:33 AM

My application generates around 100,000 files per day. Although I tested to index them by monitoring files, it took almost a week. Anybody know cause of the issue and solution? I think it will be improved if number of active log files were not so many, but I have to do so in our environment.

Tags (1)
0 Karma
Reply

sbrant_splunk
Splunk Employee
Splunk Employee
‎04-07-2013 03:34 PM

It is possible to run multiple instances of Splunk forwarders. This is particularly easy on *nix systems. With this number of files, you may want to investigate this solution.

0 Karma
Reply

sbrant_splunk
Splunk Employee
Splunk Employee
‎04-07-2013 06:29 PM

There is no hard limit and it will require some testing to discover the breaking point. This question, looking for the same answer, basically says the same:

http://splunk-base.splunk.com/answers/57806/is-there-a-limit-on-the-number-of-files-a-forwarder-can-...

How are the files being written now? Are they in separate directories? Is there a naming convention?

0 Karma
Reply

macnica
Engager
‎04-07-2013 04:24 PM

Is there any sizing guideline of number of files that a forwarder can monitor? I would like to make plan how many forwarders is required for my case.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...