Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

why ulimit values are not persistent even after trying all the splunk recommended options

hegderm
Engager
‎08-13-2020 11:50 PM

Hello All,

I have tried updating ulimits values but it is not persistant in all the instances. Production environment which I am working on is having cluster/licensce master, search head cluster, indexer cluster and few heavy forwarder instances.

- As per splunk recommendation tried updating ulimits in /etc/security/limits.conf file and done the service restart. Post that ulimits got persistently updated only in indexer instances and in rest of the instances there was no changes in ulimits value.

- Tried hard coding ulimits values in etc/init.d/splunk file inside splunk start () fucntion as well when it boot starts and rebooted the instances. Post that ulimits persistently updated in only indexer and search head instances 

In heavy forwarder and licence master instances even if I try to increasing ulimits after couple of hpours it is getting reduced and can you please suggest ehat can be done to set the ulimits persistantly 

 

-

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-14-2020 06:08 AM

Have you tried setting ulimits when starting Splunk?  I put this code in my init.d/splunk file.

change_ulimit() {
  ulimit -Hn 65535
  ulimit -Sn 65535
  ulimit -Hu 20480
  ulimit -Su 20480
  ulimit -Hf unlimited
  ulimit -Sf unlimited
}

Then invoke the function when starting Splunk

case "$1" in
start)
   change_ulimit
   splunk_start
   ;;
stop)
   splunk_stop
   ;;
restart)
   change_ulimit
   splunk_restart
   ;;
status)
	splunk_status
	;;
esac

If you use systemd, try these settings in the Splunk service file:

LimitNOFILE = 65535
LimitNPROC = 20480
LimitFSIZE = infinity
---
If this reply helps you, Karma would be appreciated.
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-14-2020 11:02 AM

And if your environment is using selinux then remember run restoreconn after changes!

r. Ismo

updated:

Create file /etc/security/limits.d/21-splunk.conf with content

 

splunk       soft    nofile     65536
splunk       hard    nofile     65536

 

Add also other user specific limits to this file if/when needed.

Then run:

 

restorecon -FvvR /etc/security/limits.d

 

 After that new login for user splunk and then it should works.

r. Ismo

Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-14-2020 12:02 PM

And it requires reboot of the server also.

————————————
If this helps, give a like below.
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-14-2020 12:05 PM

Actual not, jus logout and login for that user which limit you have changed.

r. Ismo

Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-14-2020 12:07 PM

/etc/init.d/splunk is executed at server booting. So I don’t think it works the way you think. 

————————————
If this helps, give a like below.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-14-2020 12:09 PM

You could run it by hand any time you want. No need to wait a reboot.

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...