Splunk Search

Splunk Listen Backlog Queue

chrisgoffient
New Member

I have a client that is using Splunk enterprise using TCP, we've been monitoring the number of ListenOverflows, and increased net.core.somaxconn from the original 128. We noticed after a splunk restart, it looks like listen(...) is still setting 128. Is there a tunable in Splunk for TCP over 9997? I couldn't find it in the documentation. Most systems allow this to be tunable (i.e nginx, apache, etc).

Tags (2)
0 Karma

mwidjaja_splunk
Splunk Employee
Splunk Employee

To make that change, you'll need to edit $SPLUNK_HOME/etc/splunk-launch.conf and add this line below
SPLUNK_LISTEN_BACKLOG=new setting

And restart

0 Karma
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...