topic Re: UF Data Interruption in Getting Data In

UF Data

Priya70 — Fri, 22 Aug 2025 14:11:48 GMT

Re: UF Data Interruption

sainag_splunk — Tue, 19 Aug 2025 15:39:07 GMT

Hi @Priya70,without seeing the actual splunkd.log entries during the stall periods, its hard to answer. However, based on your symptoms, the most likely cause is backpressure.

Why backpressure fits your pattern:

- High-volume classic logs (Application/Security/System) pause first

- Lower-volume custom channels (Cisco VPN) continue uninterrupted

- Multiple input types affected simultaneously (monitor, registry, scripted)

- Automatic recovery after queues drain

To confirm, check splunkd.log during stall periods for:

- "queue is full" messages

- TCP connection errors to indexers

- Network timeout warnings

Other possibilities to rule out:

- Windows Event Log API resource exhaustion

- UF memory pressure

- Windows Event Log service issues

index=_internal host=<UF> source=*metrics.log* OR source=*splunkd.log* tcpout

Hope this helps narrow it down!

Re: UF Data Interruption

kiran_panchavat — Wed, 20 Aug 2025 01:31:48 GMT

@Priya70

It sounds like the UF might be hitting a resource bottleneck (CPU, memory, disk I/O, or handles) or the Windows Event Log channels may be overwhelmed. If the UF is forwarding to an indexer, intermittent network issues could also create backpressure and stall inputs.

I recommend checking $SPLUNK_HOME/var/log/splunk/splunkd.log for any warnings/errors around the time the data stops, this usually gives good clues on whether it’s resource, input, or connectivity related.

Re: UF Data Interruption

Priya70 — Fri, 22 Aug 2025 14:10:30 GMT

Re: UF Data Interruption

PickleRick — Thu, 21 Aug 2025 17:31:20 GMT

But if your data is destined for both output groups, if one group blocks, the other one blocks as well.

Re: UF Data Interruption

Priya70 — Fri, 22 Aug 2025 14:10:48 GMT