https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-stop-ingesting/m-p/642469#M109487 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/224632">@Roy_9</a>,</P><P>probably the performance tests gave an overload on resources so your hardware hasn't the necessary resources to read and forwarrd logs.</P><P>You can test queues using this search:</P><LI-CODE lang="markup">index=_internal source=*metrics.log sourcetype=splunkd group=queue host=&lt;your_host&gt; | eval name=case(name=="aggqueue","2 - Aggregation Queue", name=="indexqueue", "4 - Indexing Queue", name=="parsingqueue", "1 - Parsing Queue", name=="typingqueue", "3 - Typing Queue", name=="splunktcpin", "0 - TCP In Queue", name=="tcpin_cooked_pqueue", "0 - TCP In Queue") | eval max=if(isnotnull(max_size_kb),max_size_kb,max_size) | eval curr=if(isnotnull(current_size_kb),current_size_kb,current_size) | eval fill_perc=round((curr/max)*100,2) | bin _time span=1m | stats Median(fill_perc) AS "fill_percentage" max(max) AS max max(curr) AS curr by host, _time, name | where (fill_percentage&gt;70 AND name!="4 - Indexing Queue") OR (fill_percentage&gt;70 AND name="4 - Indexing Queue") | sort -_time</LI-CODE><P>If you'll find queues at 100%, you'll have found the reason of the stop.</P><P>Ciao.</P><P>Giusepep</P> Sat, 06 May 2023 10:49:46 GMT gcusello 2023-05-06T10:49:46Z https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-stop-ingesting/m-p/642459#M109484 <P>Hello,</P> <P>I have a usecase where few servers stopped ingesting for 3-4 hrs when the user is doing performance testing on those servers and then servers started ingesting again automatically, I am not sure what caused the ingestion to stop.</P> <P>During the time when the ingestion has stopped, logs are still available on the server</P> <P>Please help me with the troubleshooting on what might have caused for this issue and how I can remediate this?</P> <P>&nbsp;</P> <P>Thanks in advance</P> <P>&nbsp;</P> Mon, 08 May 2023 10:03:33 GMT https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-stop-ingesting/m-p/642459#M109484 Roy_9 2023-05-08T10:03:33Z https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-stop-ingesting/m-p/642469#M109487 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/224632">@Roy_9</a>,</P><P>probably the performance tests gave an overload on resources so your hardware hasn't the necessary resources to read and forwarrd logs.</P><P>You can test queues using this search:</P><LI-CODE lang="markup">index=_internal source=*metrics.log sourcetype=splunkd group=queue host=&lt;your_host&gt; | eval name=case(name=="aggqueue","2 - Aggregation Queue", name=="indexqueue", "4 - Indexing Queue", name=="parsingqueue", "1 - Parsing Queue", name=="typingqueue", "3 - Typing Queue", name=="splunktcpin", "0 - TCP In Queue", name=="tcpin_cooked_pqueue", "0 - TCP In Queue") | eval max=if(isnotnull(max_size_kb),max_size_kb,max_size) | eval curr=if(isnotnull(current_size_kb),current_size_kb,current_size) | eval fill_perc=round((curr/max)*100,2) | bin _time span=1m | stats Median(fill_perc) AS "fill_percentage" max(max) AS max max(curr) AS curr by host, _time, name | where (fill_percentage&gt;70 AND name!="4 - Indexing Queue") OR (fill_percentage&gt;70 AND name="4 - Indexing Queue") | sort -_time</LI-CODE><P>If you'll find queues at 100%, you'll have found the reason of the stop.</P><P>Ciao.</P><P>Giusepep</P> Sat, 06 May 2023 10:49:46 GMT https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-stop-ingesting/m-p/642469#M109487 gcusello 2023-05-06T10:49:46Z https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-stop-ingesting/m-p/642546#M109517 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;<BR /><BR />The parsing queues fill percentages are less than 70% when the testing was run, I am not sure on what other factors that are causing the issue.Do yo have any thoughts?</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Mon, 08 May 2023 15:45:07 GMT https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-stop-ingesting/m-p/642546#M109517 Roy_9 2023-05-08T15:45:07Z https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-stop-ingesting/m-p/642547#M109518 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/224632">@Roy_9</a>,</P><P>I can only suppose that tha testing activities have an hogher priority than Splunk activities, so they have to wait for the end of the other activities.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 08 May 2023 16:10:37 GMT https://community.splunk.com/t5/Getting-Data-In/Why-did-Splunk-stop-ingesting/m-p/642547#M109518 gcusello 2023-05-08T16:10:37Z