Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to limit heavy forwarder bandwidth in limits.conf?

splunkreal
Motivator
‎05-25-2020 07:18 AM

Hello guys,

is it possible to limit Heavy forwarders bandwidth like UF (setting [thruput] in limits.conf for forwarders)?

Thanks.

* If this helps, please upvote or accept solution if it solved *
Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

splunkreal
Motivator
‎05-26-2020 07:26 AM

From support : "Splunk Heavy Forwarder does not have setting to limit network bandwidth."

* If this helps, please upvote or accept solution if it solved *

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

splunkreal
Motivator
‎05-26-2020 07:26 AM

From support : "Splunk Heavy Forwarder does not have setting to limit network bandwidth."

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-25-2020 07:22 AM

Hi @realsplunk,
yes it's the same thing, only one hint beware to the traffic to avoid that your HF will be the bottle neck of your network.

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

splunkreal
Motivator
‎05-25-2020 08:10 AM

Hi Cusello,
we have +800 KB/s indexing Checkpoint through OPSEC app and other syslogs through tcp/udp basically.

Here are the confs :

[root@HFSIEM01 ~]# grep -r -i maxKBps /OPT/siem/splunk/etc
/OPT/siem/splunk/etc/system/README/server.conf.spec:    1. maxKBps (in limits.conf)
/OPT/siem/splunk/etc/system/README/limits.conf.spec:maxKBps = <integer>
/OPT/siem/splunk/etc/system/README/limits.conf.spec:  * The thruput processor applies the 'maxKBps' setting for each
/OPT/siem/splunk/etc/system/README/limits.conf.spec:    pipelines, the processor multiplies the 'maxKBps' value

/OPT/siem/splunk/etc/system/default/limits.conf:maxKBps = 0
/OPT/siem/splunk/etc/apps/SplunkLightForwarder/default/limits.conf:maxKBps = 256

If I understand conf file precedence and if it applied, the limit should be 256?

Thanks.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...