Documentation > Splunk > Troubleshooting Manual > I get errors about ulimit in splunkd.log

Troubleshooting Manual

 


Welcome to the Troubleshooting Manual
First steps
Splunk log files
Contact Splunk Support
Some common scenarios

I get errors about ulimit in splunkd.log

I get errors about ulimit in splunkd.log

Are you seeing messages like these in splunkd.log while running Splunk on Linux, possibly accompanied by a Splunk crash? 

03-03-2011 21:50:09.027 INFO  ulimit - Limit: virtual address space size: unlimited
03-03-2011 21:50:09.027 INFO  ulimit - Limit: data segment size: 1879048192 bytes [hard maximum: unlimited]
03-03-2011 21:50:09.027 INFO  ulimit - Limit: resident memory size: 2147482624 bytes [hard maximum: unlimited]
03-03-2011 21:50:09.027 INFO  ulimit - Limit: stack size: 33554432 bytes [hard maximum: 2147483646 bytes]
03-03-2011 21:50:09.027 INFO  ulimit - Limit: core file size: 1073741312 bytes [hard maximum: unlimited]
03-03-2011 21:50:09.027 INFO  ulimit - Limit: data file size: 2147483646 bytes
03-03-2011 21:50:09.027 ERROR ulimit - Splunk may not work due to low file size limit
03-03-2011 21:50:09.027 INFO  ulimit - Limit: open files: 1024
03-03-2011 21:50:09.027 INFO  ulimit - Limit: cpu time: unlimited
03-03-2011 21:50:09.029 INFO  loader - Splunkd starting (build 95063).

If so, you might need to adjust your server ulimit. Ulimit controls the resources available to a Linux shell and processors the Linux shell has started. A dedicated Splunk server needs higher limits than are provided by default.

To check your limits, type:

ulimit -a

Or restart Splunk and check 

grep ulimit $SPLUNK_HOME/var/log/splunk/splunkd.log

You probably want your new values to stay set even after you reboot. To persistently modify the values, edit settings in /etc/security/limits.conf

The three critical values are:

  • The file size (ulimit -f). The size of an uncompressed bucket file can be very high.
  • The number of open files (ulimit -n), sometimes called the number of file descriptors. Increase the value to at least 8192 (depending on your server capacity).
  • The data segment size (ulimit -d). With Splunk 4.2+, increase the value to at least 1 GB = 1073741824 bytes.

A fourth value that you might need to modify on an older system (but not on most modern systems) is the system-wide file size, fs.file-max, in /etc/sysctl.conf.

Why must you increase ulimit to run Splunk? Well, you might concurrently need file descriptors for every forwarder socket and every deployment client socket. Each bucket can use 10 to 100 files, every search consumes up to 3, and then consider every file to be indexed and every user connected.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3.1/Troubleshooting/ulimitErrors"

This documentation applies to the following versions of Splunk: 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!