Splunk® Enterprise

Troubleshooting Manual

Download manual as PDF

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

I get errors about ulimit in splunkd.log

Are you seeing messages like these in splunkd.log while running Splunk software on *nix, possibly accompanied by a Splunk software crash?

03-03-2011 21:50:09.027 INFO  ulimit - Limit: virtual address space size: unlimited
03-03-2011 21:50:09.027 INFO  ulimit - Limit: data segment size: 1879048192 bytes [hard maximum: unlimited]
03-03-2011 21:50:09.027 INFO  ulimit - Limit: resident memory size: 2147482624 bytes [hard maximum: unlimited]
03-03-2011 21:50:09.027 INFO  ulimit - Limit: stack size: 33554432 bytes [hard maximum: 2147483646 bytes]
03-03-2011 21:50:09.027 INFO  ulimit - Limit: core file size: 1073741312 bytes [hard maximum: unlimited]
03-03-2011 21:50:09.027 INFO  ulimit - Limit: data file size: 2147483646 bytes
03-03-2011 21:50:09.027 ERROR ulimit - Splunk may not work due to low file size limit
03-03-2011 21:50:09.027 INFO  ulimit - Limit: open files: 1024
03-03-2011 21:50:09.027 INFO  ulimit - Limit: cpu time: unlimited
03-03-2011 21:50:09.029 INFO  loader - Splunkd starting (build 95063).

If so, you might need to adjust your server ulimit. Ulimit controls the resources available to a *nix shell and processors the *nix shell has started. A machine running Splunk software needs higher limits than are provided by default.

To check your limits, type:

ulimit -a

Or restart Splunk Enterprise and look in splunkd.log for events mentioning ulimit:

index=_internal source=*splunkd.log ulimit

You probably want your new values to stay set even after you reboot. To persistently modify the values, edit settings in /etc/security/limits.conf

The most important values are:

  • The file size (ulimit -f). The size of an uncompressed bucket file can be very high.
  • The data segment size (ulimit -d). Increase the value to at least 1 GB = 1073741824 bytes.
  • The number of open files (ulimit -n), sometimes called the number of file descriptors. Increase the value to at least 8192 (depending on your server capacity).
  • The max user processes (ulimit -u). Increase to match the file descriptors. This limit is important for the number of http threads.

Another value that you might need to modify on an older system (but not on most modern systems) is the system-wide file size, fs.file-max, in /etc/sysctl.conf.

Why must you increase ulimit to run Splunk software? Well, you might concurrently need file descriptors for every forwarder socket and every deployment client socket. Each bucket can use 10 to 100 files, every search consumes up to 3, and then consider every file to be indexed and every user connected.

PREVIOUS
What do I do with buckets?
  NEXT
Common issues with Splunk and WMI

This documentation applies to the following versions of Splunk® Enterprise:


Comments

Matthewhaswell's issue applies to Ubuntu Server and Debian systems, also.

Good to see that there's an enhancement request for this.

Baldwintm
May 18, 2016

Thanks, Matthewhaswell! We have an enhancement request to make this better (SPL-79534).

Jlaw splunk
April 25, 2014

Just a note - on Centos when the Splunk process is started with it's /etc/init.d/splunk script then it doesn't check the /etc/security/limits.conf file since it's not an interactive terminal (due to the PAM configuration). So it is best to edit the file /etc/init.d/functions and add a line saying "ulimit -n 8196" at the beginning of it. This functions script is run by every init.d startup file. <br /><br />Note that you should also change the limits.conf in case you manually restart splunk as it will pick up the values from your process.<br /><br />Perhaps splunk engineering would like to just hardcode it into their startup file to check if it's already below 8192 and then to set it to 8192?

Matthewhaswell
September 16, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters