Splunk Search

Splunk Listen Backlog Queue

chrisgoffient
New Member

I have a client that is using Splunk enterprise using TCP, we've been monitoring the number of ListenOverflows, and increased net.core.somaxconn from the original 128. We noticed after a splunk restart, it looks like listen(...) is still setting 128. Is there a tunable in Splunk for TCP over 9997? I couldn't find it in the documentation. Most systems allow this to be tunable (i.e nginx, apache, etc).

Tags (2)
0 Karma

mwidjaja_splunk
Splunk Employee
Splunk Employee

To make that change, you'll need to edit $SPLUNK_HOME/etc/splunk-launch.conf and add this line below
SPLUNK_LISTEN_BACKLOG=new setting

And restart

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...