topic Re: Is there a way to increase the maxQueueSize for Syslog output? in Getting Data In

Is there a way to increase the maxQueueSize for Syslog output?

ludoz13 — Mon, 28 Sep 2020 19:28:22 GMT

Hello Splunkers,

I would like to know if there is any way to increase the queue of my syslog group. I mean, currently I forward logs that are received on my Splunk through a tierce solution on syslog and the default queue is 97 KB. Please find below an example :

INFO Metrics - group=queue, name=my_syslog_group, max_size_kb=97, current_size_kb=0, current_size_kb=0, largest_size=0, smallest_size=0

I tried to set up this configuration on server.conf :

[queue]
maxSize = 10MB

[queue:my_syslog_group]
maxSize = 10MB

After restarting, I have always the default queue (97 KB). I saw nothing in the outputs.conf file to increase this queue for syslog output.

Do you have any idea ?

Thx for your help,

Regards,

Ludo

Re: Is there a way to increase the maxQueueSize for Syslog output?

alacercogitatus — Tue, 14 Apr 2015 19:42:56 GMT

Your configuration option is wrong and needs to be on the outputs.conf configuration for the syslog.

maxQueueSize = [<integer>|<integer>[KB|MB|GB]|auto]

See:

http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Outputsconf

Re: Is there a way to increase the maxQueueSize for Syslog output?

ludoz13 — Tue, 14 Apr 2015 20:01:02 GMT

Hello alacercogitatus,

Thanks for your answser but could you please confirm us that this option setting "maxQueueSize" is for Syslog output.

I see on the documentation that this option is only for TCP output (splunk system)

Thanks a lot,

Regards,

Ludo

Re: Is there a way to increase the maxQueueSize for Syslog output?

harishmeetsu — Wed, 16 Sep 2020 10:11:53 GMT

Hi,

Did you find any solution for this? Unfortunately I cannot see any option to drop events when queue full for the syslog output processor

Thanks

Re: Is there a way to increase the maxQueueSize for Syslog output?

kozanic_mg — Fri, 30 Oct 2020 05:04:38 GMT

Hi All,

Just wondering if anyone has been able to come up with a fix / work-around for this issue.

It's 5 yrs since it was originally asked and still it appears that the config options are very limited for this.

Re: Is there a way to increase the maxQueueSize for Syslog output?

gcusello — Fri, 30 Oct 2020 07:09:28 GMT

Hi @harishmeetsu,

I had a problem few months ago related to this: i tried to enlarge the maxQueueSize and my system was blocked because the full syslog queue blocked all the other queues(I was working on an Heavy Forwarder).

I opened a case to Splunk Support and they gave me two solutions:

using the parallel ingestion and add more resources to the system,
writing data in a file and using r-syslog.

I followed their first hint and I was able to send more data via syslog (around 20kb/s instead 1).

To do this, you have to add to your server.conf:

[general] parallelIngestionPipelines = 2

Before you ask: it isn't possible to use an higher value, I tried without results!

Ciao.

Giuseppe