We are running Splunk 6.6.3 and have UFs on our syslog servers. We are finding some of the data gets behind for some of the hosts that the syslog server has files for.
Some of the files get very large throughout the day (the file for each host sending tot he syslog server cycle into a new file daily). At least 3 of the files get to a point where Splunk is enqueuing the files into Batch mode. these files are mostly from our InfoBlox servers or our Panorama for our firewalls.
The syslogs servers are not being over taxed so I should be able to adjust some numbers higher to allow for better thruput but not sure what the best setting changes would be.
Thanks.
↧