Splunk Search

How can I verify basic OS tweaking is applied in the container version of Splunk?

daniel333
Builder

All,

So currently when I start an instance of Splunk I use an init.d script which disable THP and sets ulimits. How do I verify this is happening in the Docker container version of Splunk Enterprise?

0 Karma

outcoldman
Communicator

@daniel333 you can aways attach to the running container with

docker exec -it [container_name] bash

and after that check this configurations as you always do by

ps aux

Find splunkd process and do

cd /proc/[splunkd]/
cat limits

cat /sys/kernel/mm/transparent_hugepage/enabled

mattymo
Splunk Employee
Splunk Employee

exec to container is what I would do, too.

We'll have to incorporate these best practices into the dockerfiles soon as well.

Other handy verification items are this searchindex=_internal source=*splunkd.log ulimit which runs at any startup and checks these items, or grep $SPLUNK_HOME/var/log/splunk/splunkd.log for ulimit. Also monitoring console health check has checks for this too.

Once you have set the configs the way you want, you'll want to verify these after restart.

- MattyMo
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...