How can I verify basic OS tweaking is applied in t...

daniel333 · ‎02-04-2018

All,

So currently when I start an instance of Splunk I use an init.d script which disable THP and sets ulimits. How do I verify this is happening in the Docker container version of Splunk Enterprise?

outcoldman · ‎02-04-2018

@daniel333 you can aways attach to the running container with

docker exec -it [container_name] bash

and after that check this configurations as you always do by

ps aux

Find splunkd process and do

cd /proc/[splunkd]/
cat limits

cat /sys/kernel/mm/transparent_hugepage/enabled

mattymo · ‎02-05-2018

exec to container is what I would do, too.

We'll have to incorporate these best practices into the dockerfiles soon as well.

Other handy verification items are this searchindex=_internal source=*splunkd.log ulimit which runs at any startup and checks these items, or grep $SPLUNK_HOME/var/log/splunk/splunkd.log for ulimit. Also monitoring console health check has checks for this too.

Once you have set the configs the way you want, you'll want to verify these after restart.

- MattyMo

How can I verify basic OS tweaking is applied in the container version of Splunk?

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector