-
-
-
-
-
-
Data Distribution and Separation (Routing to Multiple Backends)
-
Reducing the Data Volume
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Reducing the Data Volume
Since Splunk is licensed by daily indexed data volume, it is in every customer’s interest to keep the data volume generated by uberAgent as small as possible. uberAgent comes prepared for that by offering two default configurations and many ways for fine-tuning.
Choose Between Detail and Data Volume
Start by choosing either the default configuration, which provides full detail and high resolution or the configuration optimized for data volume, which differs from the default in the following ways:
- Process & application performance: information is collected only on the 10-15 most active processes in terms of CPU, RAM, disk, and network utilization. The processes included in the data collection are determined dynamically for every collection interval. One could say uberAgent "follows" the active processes.
- Collection interval of 120 s instead of 30 s.
See this document for instructions on how to switch between the two configurations.
Take Stock
Before modifying the configuration, find out how much data is generated per endpoint by the default settings. The easiest way to do that is to have uberAgent tell you in the Data Volume dashboard.
Reduce the Data Volume per Endpoint
Once you know the currently generated data volume, you should have an idea by how much it needs to be reduced. Start with the endpoint configuration.
Through uberAgent’s configuration you can do three things to reduce the data volume:
Reduce the Frequency
By default, uberAgent collects performance data every 30 seconds. You can cut the volume nearly in half by changing the frequency to one minute (any other value is possible, too, of course).
You can fine-tune the data collection by adding additional timers. The data collection frequency can be set per timer. Move each metric to the timer with the desired frequency to optimally balance accuracy and data volume. While optimizing, focus on those metrics that generate the highest data volume (the Data Volume dashboard shows you which those are).
Remove Metrics
By default, all metrics are enabled. If you do not need the information collected by some of them, turn them off by removing them from the configuration.
Special Treatment for ProcessDetail
As you can see in the Data Volume dashboard, the ProcessDetail metric generates by far the highest data volume. Consider replacing ProcessDetailFull
with ProcessDetailTop5
. Once you do that, uberAgent only collects performance data for processes with the highest activity. This may lead to a dramatic reduction in data volume.
ProcessDetailTop5
By configuring ProcessDetailTop5
, only the top 5 ProcessDetail metrics are collected based on each of the following criteria:
- Process CPU usage
- Count of process I/O read/write operations
- Amount of process I/O read/write operations data volume
- Process consumed RAM
- Process generated network traffic
Event Data Filtering
Event Data Filtering is a powerful feature that replaces the previous allowlist and denylist options. This feature allows defining rules with conditions that are evaluated for every event before it is sent to the backend. With each matching rule, a pre-defined action is executed that controls whether the event is sent to the backend or not. Additionally, certain fields can be cleared before sending the event.
For detailed guidance, refer to the Event Data Filtering documentation.
Reduce the Number of Endpoints
If the data volume is still too high after optimizing the configuration as recommended above you need to reduce the number of endpoints that send data to Splunk. You can simply do that by stopping and disabling the uberAgent
system service on select endpoints.
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.