Re: Does increasing time_before_close in splunk ha...

sfmandmdev · ‎09-28-2012

We have jvm gc logs which are pausing while writing loglines for more than a minute. So are thinking of increasing the time_before_close to a value more than 60 secs. But before doing that there are couple questions I wanted addressed:

Does increasing time_before_close field lead to performance degradation of splunk ?
Is there a splunk config to apply this setting only to particular log files in the app ? Reason being could monitoring the jvm logs longer affect splunk forwarding/indexing other logs ?

dwaddle · ‎09-30-2012

For your first question, the answer is most likely "maybe, depending on your exact circumstances". It's hard to make absolute statements about this. Depending on how many files you're tailing, it could mean you'll need more file handles for Splunk to use because each one will stay open longer. If you are only tailing a couple of hundred files, it might not matter. If you are tailing thousands, it could be a different story.

For your second question, this setting is global for the instance of Splunk. There's no way to (as of version 4.3) on a per-stanza or similar basis. You could always submit an enhancement request to improve this functionality.

Does increasing time_before_close in splunk have any performance side effects ?

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users