Solved: Updating limits.conf spath field for index cluster

jerm1020rq · ‎10-18-2021

I need to modify the limits.conf for an index cluster. My question is if i modify /$Splunk/etc/system/local/limits.conf can this be done on the cluster manager and pushed out or does this need to be modified on the individual indexers themselves?

richgalloway · ‎10-18-2021

Correct. etc/system/default has lowest priority, followed by apps, then etc/system/local.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-18-2021

Modifying $SPLUNK_HOME/etc/system/local on the CM has no effect on the indexers. That's because the CM pushes apps to the indexers and apps cannot override etc/system/local.

To modify limits.conf, create a new app in the CM's master-apps directory, put limits.conf in the default directory, then push the bundle to the indexers.

---
If this reply helps you, Karma would be appreciated.

jerm1020rq · ‎10-18-2021

Ah, so making an app with only the limits.conf and pushing it down to the indexers will take precedence over the limits.conf that already exists on the indexers under etc/system/default? Thank you for the response, I think if this is the case, I should be good to go. Thanks!

richgalloway · ‎10-18-2021

Correct. etc/system/default has lowest priority, followed by apps, then etc/system/local.

---
If this reply helps you, Karma would be appreciated.

Updating limits.conf spath field for index cluster

configuration

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?