https://community.splunk.com/t5/Deployment-Architecture/Splunk-forwarder-input-queue/m-p/280199#M10594 <P>We have build our own custom application which collects data from other devices, and builds a string with a Splunk friendly format.<BR /> We are considering to use the SplunkUniversalForwarder to deliver the data to our Splunk Enterprise.</P> <P>My question:<BR /> If the SplunkUniversalForwarder for some reason cant reach the indexers (eg closed firewall port or lost network connection), for how long (or how much) will data be kept in the output queue?<BR /> I have found this setting in the ${SPLUNK_HOME}$/etc/system/default/server.conf:</P> <PRE><CODE>[queue] maxSize = 500KB # look back time in minutes cntr_1_lookback_time = 60s cntr_2_lookback_time = 600s cntr_3_lookback_time = 900s # sampling interval is the same for all the counters of a particular queue # and defaults to 1 sec sampling_interval = 1s </CODE></PRE> <P>However testing showed that more than 1 MB of data was kept in the queue when link was restored.</P> <P>Can anybody show me in any direction where i can find some information on this?</P> <P>Any help would be appriciated.</P> Fri, 12 Feb 2016 07:51:56 GMT polymorphic 2016-02-12T07:51:56Z https://community.splunk.com/t5/Deployment-Architecture/Splunk-forwarder-input-queue/m-p/280199#M10594 <P>We have build our own custom application which collects data from other devices, and builds a string with a Splunk friendly format.<BR /> We are considering to use the SplunkUniversalForwarder to deliver the data to our Splunk Enterprise.</P> <P>My question:<BR /> If the SplunkUniversalForwarder for some reason cant reach the indexers (eg closed firewall port or lost network connection), for how long (or how much) will data be kept in the output queue?<BR /> I have found this setting in the ${SPLUNK_HOME}$/etc/system/default/server.conf:</P> <PRE><CODE>[queue] maxSize = 500KB # look back time in minutes cntr_1_lookback_time = 60s cntr_2_lookback_time = 600s cntr_3_lookback_time = 900s # sampling interval is the same for all the counters of a particular queue # and defaults to 1 sec sampling_interval = 1s </CODE></PRE> <P>However testing showed that more than 1 MB of data was kept in the queue when link was restored.</P> <P>Can anybody show me in any direction where i can find some information on this?</P> <P>Any help would be appriciated.</P> Fri, 12 Feb 2016 07:51:56 GMT https://community.splunk.com/t5/Deployment-Architecture/Splunk-forwarder-input-queue/m-p/280199#M10594 polymorphic 2016-02-12T07:51:56Z https://community.splunk.com/t5/Deployment-Architecture/Splunk-forwarder-input-queue/m-p/280200#M10595 <P>If a universal forwarder loses contact with its indexer(s), it will buffer events in memory until it can reach an indexer again. If the memory buffer fills up, the forwarder will write events to disk. That is why you saw more data buffered than was allowed for in memory.</P> Fri, 12 Feb 2016 14:53:05 GMT https://community.splunk.com/t5/Deployment-Architecture/Splunk-forwarder-input-queue/m-p/280200#M10595 richgalloway 2016-02-12T14:53:05Z https://community.splunk.com/t5/Deployment-Architecture/Splunk-forwarder-input-queue/m-p/280201#M10596 <P>Hi Rich</P> <P>Thanks for your answer, that's good information, however I would like to read some more detailed information on this.<BR /> The reason is that too much disk writes could be a big issue because this system is running from a flash drive.</P> <P>Therefore i would like to disable that feature.</P> <P>I haven't been able to find the documentation on this, so if you could point me in the right direction it would be much appreciated.</P> <P>Thanks in advance.</P> <P>//Jesper S</P> Fri, 12 Feb 2016 19:25:08 GMT https://community.splunk.com/t5/Deployment-Architecture/Splunk-forwarder-input-queue/m-p/280201#M10596 polymorphic 2016-02-12T19:25:08Z https://community.splunk.com/t5/Deployment-Architecture/Splunk-forwarder-input-queue/m-p/280202#M10597 <P>I suggest you make your in-memory queue as large as possible to avoid writing to disk. Then consider using the dropEventsOnQueueFull attribute. You can read about it in the Admin manual (<A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/Outputsconf">http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/Outputsconf</A>).</P> Fri, 12 Feb 2016 19:36:56 GMT https://community.splunk.com/t5/Deployment-Architecture/Splunk-forwarder-input-queue/m-p/280202#M10597 richgalloway 2016-02-12T19:36:56Z https://community.splunk.com/t5/Deployment-Architecture/Splunk-forwarder-input-queue/m-p/280203#M10598 <P>Thanks again.</P> <P>Please see my outputs.conf (used for testing):</P> <PRE><CODE>[tcpout] defaultGroup = backend maxQueueSize = 512KB dropEventsOnQueueFull = 0 [tcpout:backend] server = splunk.internal:9997 [tcpout-server://splunk.internal:9997] </CODE></PRE> <P>Did some further testing with theese settings, but the results didnt change.</P> <P>Also i dont understand the part marked in <STRONG>bold</STRONG> of the documentation:</P> <BLOCKQUOTE> <P>dropEventsOnQueueFull = <BR /> * If set to a positive number, wait seconds before throwing out <BR /> all new events until the output queue<BR /> has space.<BR /> * ** Setting this to -1 or 0 will cause the output queue to block when it gets full, causing further blocking up the processing chain.**<BR /> * If any target group's queue is blocked, no more data will reach any<BR /> other target group.<BR /> * Using auto load-balancing is the best way to minimize this condition,<BR /><BR /> because, in that case, multiple<BR /> receivers must be down (or jammed up) <BR /> before queue blocking can occur.<BR /> * <STRONG>Defaults to -1 (do not drop events).</STRONG><BR /> * DO NOT SET THIS VALUE TO A POSITIVE INTEGER IF YOU ARE MONITORING FILES!</P> </BLOCKQUOTE> Mon, 15 Feb 2016 07:03:56 GMT https://community.splunk.com/t5/Deployment-Architecture/Splunk-forwarder-input-queue/m-p/280203#M10598 polymorphic 2016-02-15T07:03:56Z https://community.splunk.com/t5/Deployment-Architecture/Splunk-forwarder-input-queue/m-p/280204#M10599 <P>A blocked processing chain means the forwarder will not read its inputs until the output queue has space.</P> <P>Did you restart the forwarder after changing outputs.conf?</P> Mon, 15 Feb 2016 13:39:52 GMT https://community.splunk.com/t5/Deployment-Architecture/Splunk-forwarder-input-queue/m-p/280204#M10599 richgalloway 2016-02-15T13:39:52Z https://community.splunk.com/t5/Deployment-Architecture/Splunk-forwarder-input-queue/m-p/280205#M10600 <P>So what does </P> <BLOCKQUOTE> <P>Defaults to -1 (do not drop events)</P> </BLOCKQUOTE> <P>mean?</P> <P>Yes, i did restart the forwarder after change, before testing.</P> Mon, 15 Feb 2016 13:49:16 GMT https://community.splunk.com/t5/Deployment-Architecture/Splunk-forwarder-input-queue/m-p/280205#M10600 polymorphic 2016-02-15T13:49:16Z https://community.splunk.com/t5/Deployment-Architecture/Splunk-forwarder-input-queue/m-p/280206#M10601 <P>The default value of -1 means to write events to disk rather than discard them. It's the behavior you are experiencing.</P> <P>BTW, if you find the documentation to be confusing or lacking in any way, submit a comment at the bottom of the on-line page. The Splunk documentation people are very responsive.</P> Mon, 15 Feb 2016 13:58:57 GMT https://community.splunk.com/t5/Deployment-Architecture/Splunk-forwarder-input-queue/m-p/280206#M10601 richgalloway 2016-02-15T13:58:57Z https://community.splunk.com/t5/Deployment-Architecture/Splunk-forwarder-input-queue/m-p/280207#M10602 <P>Thanks for your help</P> Mon, 15 Feb 2016 14:18:04 GMT https://community.splunk.com/t5/Deployment-Architecture/Splunk-forwarder-input-queue/m-p/280207#M10602 polymorphic 2016-02-15T14:18:04Z