https://community.splunk.com/t5/Getting-Data-In/running-down-indexer-congestion-problems/m-p/55608#M10868 <P>Good advice : install the SOS app on the indexer and check the indexing performance.<BR /> If the queues are full, then this can be :</P> <UL> <LI>slow disks (index queue) or congested rotation of buckets from homePath -&gt; coldPath -&gt; frozen</LI> <LI>heavy parsing (parsing/aggregation queues) or non optimized events</LI> <LI>heavy load, the usual suspect</LI> <LI>too large metadata files -&gt; upgrade to 4.3 ASAP</LI> </UL> <P>And remember that at one point, you will need more than 1 indexer to scale your volume.</P> Wed, 14 Aug 2013 15:32:11 GMT yannK 2013-08-14T15:32:11Z https://community.splunk.com/t5/Getting-Data-In/running-down-indexer-congestion-problems/m-p/55606#M10866 <P>Hi,</P> <P>I'm running into occasional errors from one of my indexers reporting "skipped indexing of internal audit event will keep dropping events until indexer congestion is remedied. Check disk space and other issues that may cause indexer to block."</P> <P>I've run the following to monitor for any high values for the queues and don't see anything really actionable during timeframes I see the messages:</P> <PRE><CODE>index="_internal" source="*metrics.log" group="queue" earliest=-4h | timechart max(current_size) span=30m by name </CODE></PRE> <P>Checked for any forwarders flooding my indexer and nothing was obvious. So, nothing really actionable.</P> <P>According to SPL-37407, this is a known issue in 4.2.1 "most often tcpout-queue", but there's no real info on how to get it addressed. in fact, that's the only place the tcpout-queue is mentioned. So, got some questions:</P> <UL> <LI>is there a search to query the status of the tcpout-queue on indexers?</LI> <LI>would adjusting the maxQueueSize in the outputs.conf on the search heads give me a bigger default queue to work with before errors start?</LI> <LI>Any tips on how to troubleshoot indexer congestion issues? there's not a lot of data out there about how to handle.</LI> </UL> <P>Thanks!</P> <P>tom</P> Tue, 09 Aug 2011 22:15:37 GMT https://community.splunk.com/t5/Getting-Data-In/running-down-indexer-congestion-problems/m-p/55606#M10866 tgiles 2011-08-09T22:15:37Z https://community.splunk.com/t5/Getting-Data-In/running-down-indexer-congestion-problems/m-p/55607#M10867 <P>You could try the "Splunk on Splunk" App, <A href="http://apps.splunk.com/app/748">http://apps.splunk.com/app/748</A></P> <P>It will provide you a good overview of what's happening on your indexer.</P> Wed, 14 Aug 2013 14:14:31 GMT https://community.splunk.com/t5/Getting-Data-In/running-down-indexer-congestion-problems/m-p/55607#M10867 splunk68 2013-08-14T14:14:31Z https://community.splunk.com/t5/Getting-Data-In/running-down-indexer-congestion-problems/m-p/55608#M10868 <P>Good advice : install the SOS app on the indexer and check the indexing performance.<BR /> If the queues are full, then this can be :</P> <UL> <LI>slow disks (index queue) or congested rotation of buckets from homePath -&gt; coldPath -&gt; frozen</LI> <LI>heavy parsing (parsing/aggregation queues) or non optimized events</LI> <LI>heavy load, the usual suspect</LI> <LI>too large metadata files -&gt; upgrade to 4.3 ASAP</LI> </UL> <P>And remember that at one point, you will need more than 1 indexer to scale your volume.</P> Wed, 14 Aug 2013 15:32:11 GMT https://community.splunk.com/t5/Getting-Data-In/running-down-indexer-congestion-problems/m-p/55608#M10868 yannK 2013-08-14T15:32:11Z https://community.splunk.com/t5/Getting-Data-In/running-down-indexer-congestion-problems/m-p/55609#M10869 <P>@yannK , is it also possible for the congestion to occur due to a lot of searches targeting the indexer. We have premium apps (ITSI/ES) enabled in our environment. Could that be the case too ?</P> Fri, 12 May 2017 09:48:51 GMT https://community.splunk.com/t5/Getting-Data-In/running-down-indexer-congestion-problems/m-p/55609#M10869 vr2312 2017-05-12T09:48:51Z