I have a client that is using Splunk enterprise using TCP, we've been monitoring the number of ListenOverflows
, and increased net.core.somaxconn
from the original 128
. We noticed after a splunk restart, it looks like listen(...)
is still setting 128
. Is there a tunable in Splunk for TCP over 9997? I couldn't find it in the documentation. Most systems allow this to be tunable (i.e nginx, apache, etc).
To make that change, you'll need to edit $SPLUNK_HOME/etc/splunk-launch.conf and add this line below
SPLUNK_LISTEN_BACKLOG=new setting
And restart