Tag Archives: forwarder

Splunk

Splunk & Systemd

No longer required from Splunk version 7.2.2 onwards

Universal Forwarder

Copy this text into a file named "/usr/lib/systemd/system/splunkforwarder.service".

[Unit]
Description=Splunk Universal Forwarder
Wants=network.target
After=network.target

[Service]
Type=forking
RemainAfterExit=yes
ExecStart=/opt/splunkforwarder/bin/splunk start
ExecStop=/opt/splunkforwarder/bin/splunk stop
ExecReload=/opt/splunkforwarder/bin/splunk restart
StandardOutput=syslog
Restart=always

[Install]
WantedBy=multi-user.target

Next, create a symlink that systemd will use to fetch this control file.

systemctl enable splunkforwarder

That's it.  You can either reboot or run

systemctl start splunkforwarder

SearchHead, Indexer, Heavy Forwarder

Copy this text into a file named "/usr/lib/systemd/system/splunkforwarder.service".

[Unit]
Description=Splunk
Wants=network.target
After=network.target

[Service]
User=splunk
Group=splunk
Type=forking
RemainAfterExit=yes
ExecStart=/opt/splunk/bin/splunk start --answer-yes --no-prompt --accept-license
ExecStop=/opt/splunk/bin/splunk stop
ExecReload=/opt/splunk/bin/splunk restart
StandardOutput=syslog
#ExecStart=/bin/sh -c "echo never >/sys/kernel/mm/transparent_hugepage/enabled"
#ExecStart=/bin/sh -c "echo never >/sys/kernel/mm/transparent_hugepage/defrag"
#ulimit -Sn 65535
#ulimit -Hn 65535
LimitNOFILE=65535
#ulimit -Su 20480
#ulimit -Hu 20480
LimitNPROC=20480
#ulimit -Hf unlimited
#ulimit -Sf unlimited
LimitFSIZE=infinity
LimitCORE=infinity
#Restart=always

[Install]
WantedBy=multi-user.target
 If you have THP compiled into your kernel (hint: it's enabled by default), then you'll need to uncomment the two ExecStart lines