Splunk Search

Does increasing time_before_close in splunk have any performance side effects ?

sfmandmdev
Path Finder

We have jvm gc logs which are pausing while writing loglines for more than a minute. So are thinking of increasing the time_before_close to a value more than 60 secs. But before doing that there are couple questions I wanted addressed:

  1. Does increasing time_before_close field lead to performance degradation of splunk ?
  2. Is there a splunk config to apply this setting only to particular log files in the app ? Reason being could monitoring the jvm logs longer affect splunk forwarding/indexing other logs ?
Tags (1)
0 Karma

dwaddle
SplunkTrust
SplunkTrust

For your first question, the answer is most likely "maybe, depending on your exact circumstances". It's hard to make absolute statements about this. Depending on how many files you're tailing, it could mean you'll need more file handles for Splunk to use because each one will stay open longer. If you are only tailing a couple of hundred files, it might not matter. If you are tailing thousands, it could be a different story.

For your second question, this setting is global for the instance of Splunk. There's no way to (as of version 4.3) on a per-stanza or similar basis. You could always submit an enhancement request to improve this functionality.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...