Solved: Do we have any SPLUNK recommended maximum size of ...

SplunkDash · ‎08-12-2023

Hello,

Do we have any SPLUNK recommended maximum size of a single source file for UFs to push? I know maximus size of Lookup is 500MB. But for SPLUNK UF based data ingestion, I have a few source files need to be ingested every day using UF and each of the size of source files is around 2.2 GB. Do you have any recommendations? Thank you so much.

isoutamo · ‎08-12-2023

Hi

I haven’t seen any recommendations for ingested files. More important is how much events come to it and could UF read it faster than new events come! This situation could cause delays for source events on this host especially if there are lot of files. 2.2GB/day isn’t any issue for UF if your source node can handle to generate that log.

r. Ismo

View solution in original post

isoutamo · ‎08-12-2023

Hi

I haven’t seen any recommendations for ingested files. More important is how much events come to it and could UF read it faster than new events come! This situation could cause delays for source events on this host especially if there are lot of files. 2.2GB/day isn’t any issue for UF if your source node can handle to generate that log.

r. Ismo

Do we have any SPLUNK recommended maximum size of a single source file for UFs to push?

universal forwarder

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!