Light Weight Splunk-2-Splunk forwarder Configuration

Light Weight Splunk-2-Splunk forwarder Configuration

The default Splunk Server configuration is designed for easy setup with most modules and processors turned on. Splunk configurations can be tuned for settings where administrators would prefer Splunk use less system resources, for example, where Splunk is not indexing locally but instead forwarding to another Splunk instance.

Below we show how to minimize the resource footporint for the Splunk server - future versions of Splunk will contain sophisticated packaging and deployment tools to make this easier.

Configurations for light weight forwarder

Turn off all unnecessary modules

Every loaded module takes up a small amount of memory and CPU. For most light weight forwarding installations only the Tailing module is required. Modules are located in the SPLUNK_HOME/etc/modules directory and are loaded by default if they have a config.xml file. To turn off unnecessary modules just rename the config.xml to config.xml.off. This will prevent them from being loaded at startup.

The following is the list of modules included as part of Splunk 2.2. We have noted those modules which you should NOT turn off.

• etc/modules/distributedSearch - required for distributed search and not required for light weight configurations
• etc/modules/input/batchfile - required if you plan on batch loading data
• etc/modules/input/FIFO - required if you plan on reading from a FIFO
• etc/modules/input/log4jTCP - required if you plan on receiving tcp from log4j
• etc/modules/input/ODBC - required if you are reading from ODBC
• etc/modules/input/splunkTCP - required for receiving data to another splunk instance.
• etc/modules/input/syslogFIFO - required for receiving data from syslog via a FIFO
• etc/modules/input/syslogUDP - required for receiving data from syslog via UDP
• etc/modules/input/tailfile - required for receiving data by tailing files
• etc/modules/input/TCP - required for receiving data via TCP
• etc/modules/input/UDP - required for receiving data via UDP

These module should be left on

• etc/modules/internal/distributed
• etc/modules/internal/freeprocessors
• etc/modules/internal/scheduler
• etc/modules/output/TCP

Remove Unnecessary Processors in Splunkd.xml

Replace your default $SPLUNK_HOME/etc/myinstall/splunkd.xml with this one.

• Rename your current $SPLUNK_HOME/etc/myinstall/splunkd.xml for example

 splunkd.xml to splunkd.old

• Copy splunkd.xml.lite to $SPLUNK_HOME/etc/myinstall and rename it to

 splunkd.xml

• Open your new splunkd.xml, locate and replace

 <serverName>server_name_in_splunkd.xml</serverName> with your splunk server

• Restart splunk

Disable internal logging

By default Splunk will index its own log files to an internal index. You should disable these data inputs by modifying your $SPLUNK_HOME/etc/bundles/default/inputs.conf to include the line disabled = true for each input.

[tail://$SPLUNK_HOME/var/log/splunk/searchhistory.log]
disabled = true
index = history
[tail://$SPLUNK_HOME/var/log/splunk/web_access.log]
disabled = true
index = _internal
[tail://$SPLUNK_HOME/var/log/splunk/web_service.log]
disabled = true
index = _internal
[tail://$SPLUNK_HOME/var/log/splunk/splunkd.log]
disabled = true
index = _internal
[tail://$SPLUNK_HOME/var/log/splunk/splunklogger.log]
disabled = true
index = splunklogger

• Was this topic useful?
• Post a comment