Splunk search for Check for Hosts Hitting Max File Descriptor (max_fd) Limit

Copy
index=_internal sourcetype=splunkd "TailReader - File descriptor cache is full" "trimming" | stats count by host
This search will tell you if a Universal/Heavy Forwarder has hit it's Max File Descriptor limit. By default this is set to 100 in limits.conf. If you see this message it means you are losing logs, recommend increasing max_fd in limits.conf.
0 comments

Category:

Universal Forwarder


Tags:

universal forwarder _internal max_fd limits.conf forwarder

Search Commands:

Sign in or Register to submit a comment