Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Community
- :
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to limit heavy forwarder bandwidth in limits.c...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
realsplunk
Motivator
05-25-2020
07:18 AM
Hello guys,
is it possible to limit Heavy forwarders bandwidth like UF (setting [thruput] in limits.conf for forwarders)?
Thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
realsplunk
Motivator
05-26-2020
07:26 AM
From support : "Splunk Heavy Forwarder does not have setting to limit network bandwidth."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
realsplunk
Motivator
05-26-2020
07:26 AM
From support : "Splunk Heavy Forwarder does not have setting to limit network bandwidth."
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
gcusello
Legend
05-25-2020
07:22 AM
Hi @realsplunk,
yes it's the same thing, only one hint beware to the traffic to avoid that your HF will be the bottle neck of your network.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
realsplunk
Motivator
05-25-2020
08:10 AM
Hi Cusello,
we have +800 KB/s indexing Checkpoint through OPSEC app and other syslogs through tcp/udp basically.
Here are the confs :
[root@HFSIEM01 ~]# grep -r -i maxKBps /OPT/siem/splunk/etc
/OPT/siem/splunk/etc/system/README/server.conf.spec: 1. maxKBps (in limits.conf)
/OPT/siem/splunk/etc/system/README/limits.conf.spec:maxKBps = <integer>
/OPT/siem/splunk/etc/system/README/limits.conf.spec: * The thruput processor applies the 'maxKBps' setting for each
/OPT/siem/splunk/etc/system/README/limits.conf.spec: pipelines, the processor multiplies the 'maxKBps' value
/OPT/siem/splunk/etc/system/default/limits.conf:maxKBps = 0
/OPT/siem/splunk/etc/apps/SplunkLightForwarder/default/limits.conf:maxKBps = 256
If I understand conf file precedence and if it applied, the limit should be 256?
Thanks.
Did you miss .conf21 Virtual?
Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!
Catch Up Now >>
Get Updates on the Splunk Community!
