Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Forwarders Buffer size and best practices?

SplunkExplorer
Contributor
‎10-27-2022 07:41 AM

Hi Splunkers, I have some doubts about forwarder buffer, both universal and heavy.

The starting point is this: I know that, if an indexer goes down and it is receiving data by a UF,  this has a buffering mechanism to store data and send them to proper destination once it is up and running again. If I'm not wrong, the limits of this buffer can be set on a config file (I don't remeber well wich one). Now, the question are:

1. Even if the answer can be obvious, this mechanism is already available for HF?
2. How can I decide the maximum size of my buffer? is there a pre set limit or it depends on my environments?

Labels (1)
Labels
0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎10-27-2022 08:18 AM

Hi @SplunkExplorer 

theses attributes in outputs.conf will take care these 

maxQueueSize
autoLBFrequency
autoLBVolume
useAck

https://docs.splunk.com/Documentation/Splunk/8.2.7/Admin/Outputsconf 

SanjayReddy_0-1666883578695.png

SanjayReddy_1-1666883655795.png

SanjayReddy_2-1666883753342.png

 

 

 

0 Karma
Reply

SplunkExplorer
Contributor
‎10-27-2022 08:29 AM

Hi @SanjayReddy , thanks a lot. I didn't remember about the auto fields, I got memories only about useack and maxqueue size, very usefull.

About the max queue size, are there any souces I can use to understand the best/max value I can set in my environments? I ask this because my final question is: what is the max value I can set in maxQueueSize It depends by my hardware availability or there a limit I cannot overwhelm? 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...