Max data ingestion via UDP on Heavy Forwarder

ewan000 · ‎01-22-2020

Hi,

We are ingesting syslog and statsd data directly on a Heavy Forwarder via upd inputs

This seems to work fine for small volumes of data, but heavy load causes all the ingestion on these inputs to drop off. even ones not receiving large amounts of data.

What limits are there in splunk or linux which might cause this behaviour and does anyone know of a fix?

PS. I know the recommendation is to use a separate syslog box and then read the files. But the reason for this are always given as : "you lose data when you restart splunk" which is not a problem for us. Is there a secret reason?!

codebuilder · ‎01-23-2020

Increase maxKBps on your forwarder(s). The default value is 256. Increase this setting to a value appropriate to your system and cycle the daemon.

This setting is in the [thruput] stanza within limits.conf

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Bthruput.5D

----
An upvote would be appreciated and Accept Solution if it helps!

ewan000 · ‎01-24-2020

Ill give this a go thanks

ewan000 · ‎01-24-2020

it should be noted though that the heavy forwarder is not indexing the data, just passing it on to indexers

codebuilder · ‎01-24-2020

That setting controls how much network thruput the forwarder is allowed to consume. The default setting is generally much too low for most implementations.

----
An upvote would be appreciated and Accept Solution if it helps!

Max data ingestion via UDP on Heavy Forwarder

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!