Splunking On A Budget

/Splunking/ v, as in “To Splunk”, “I was splunking”

Really though, it’s a software program. Splunk. It’s great – it’s like Google for log files :D
It’s a resource hog though. The minimum specifications on the Splunk site say 1.4GHz. Well, I installed it on my Via C3 1GHz and it was ok. Then I got interested, and now I have it installed on my K6-2 333Mhz with 128MB of RAM ;)

Actually the RAM is a problem. The machine swaps with only 128M. Badly. The load is steady at about 0.3 though, so the CPU is fine. During a search, it will usually shoot up to 1. The Via machine didn’t swap much though, and that only has 384MB of RAM. So the more RAM the better (Splunk do actually mention that that program is very memory-hungry).

I don’t have many log files though. A couple of hundred MB all up. Also, I don’t intend on keeping more than a months worth of log files in Splunk. Most problems I have with my servers occur within a matter of hours, not weeks! To make Splunk delete files after they get older than 30 days:

vi /opt/splunk/etc/system/local/indexes.conf

And insert the line:

frozenTimePeriodInSecs = 2592600

Written on July 30th, 2008 , Informative

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

SirSpanky.com – The Secret Diary of James Pearce Aged 20-Something is proudly powered by WordPress and the Theme Adventure by Eric Schwarz
Entries (RSS) and Comments (RSS).

SirSpanky.com – The Secret Diary of James Pearce Aged 20-Something

Personal jorunal of a professional geek – James Pearce in Perth, Australia