Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does increasing time_before_close in splunk have any performance side effects ?

sfmandmdev
Path Finder
‎09-28-2012 03:38 PM

We have jvm gc logs which are pausing while writing loglines for more than a minute. So are thinking of increasing the time_before_close to a value more than 60 secs. But before doing that there are couple questions I wanted addressed:

  1. Does increasing time_before_close field lead to performance degradation of splunk ?
  2. Is there a splunk config to apply this setting only to particular log files in the app ? Reason being could monitoring the jvm logs longer affect splunk forwarding/indexing other logs ?
Tags (1)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-30-2012 06:51 PM

For your first question, the answer is most likely "maybe, depending on your exact circumstances". It's hard to make absolute statements about this. Depending on how many files you're tailing, it could mean you'll need more file handles for Splunk to use because each one will stay open longer. If you are only tailing a couple of hundred files, it might not matter. If you are tailing thousands, it could be a different story.

For your second question, this setting is global for the instance of Splunk. There's no way to (as of version 4.3) on a per-stanza or similar basis. You could always submit an enhancement request to improve this functionality.

0 Karma
Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...