By default most modern UNIX systems have pam_limits enabled, and /etc/security/limits.d/
Instead of editing /etc/security/limits.conf, create a file /etc/security/limits.d/99-splunk.com with the following
splunk hard nofile 20240
splunk soft nofile 10240
This just makes it easier to add/remove via any automation (puppet, chef..) or included in your own packages. This will also work if you for some reason chose to run anything splunk as 'root' too 😞 But that is an entirely different problem
(RBAC and facls) are your friend 😉
... View more