Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does increasing time_before_close in splunk have any performance side effects ?

sfmandmdev
Path Finder
‎09-28-2012 03:38 PM

We have jvm gc logs which are pausing while writing loglines for more than a minute. So are thinking of increasing the time_before_close to a value more than 60 secs. But before doing that there are couple questions I wanted addressed:

  1. Does increasing time_before_close field lead to performance degradation of splunk ?
  2. Is there a splunk config to apply this setting only to particular log files in the app ? Reason being could monitoring the jvm logs longer affect splunk forwarding/indexing other logs ?
Tags (1)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-30-2012 06:51 PM

For your first question, the answer is most likely "maybe, depending on your exact circumstances". It's hard to make absolute statements about this. Depending on how many files you're tailing, it could mean you'll need more file handles for Splunk to use because each one will stay open longer. If you are only tailing a couple of hundred files, it might not matter. If you are tailing thousands, it could be a different story.

For your second question, this setting is global for the instance of Splunk. There's no way to (as of version 4.3) on a per-stanza or similar basis. You could always submit an enhancement request to improve this functionality.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...