https://community.splunk.com/t5/Getting-Data-In/Forwarding-events-Splunk-stopps-working-when-endpoint-is-not/m-p/231055#M44975 <P>If you take a look at this diagram:</P> <P><A href="https://wiki.splunk.com/Community:HowIndexingWorks">https://wiki.splunk.com/Community:HowIndexingWorks</A> </P> <P>"3. Detail Diagram - Standalone Splunk"</P> <P>You can see how the flow works. When Splunk is unable to communicate with a 3rd party system the queue fills up, which causes us to start filling up in the pipeline going backwards to the point where eventually we no longer accept any new data, as we can't do anything with the data we have.</P> <P>2 of the main reasons why indexers stop indexing is because of:<BR /> 1. We have an indexing loop. E.G. an outputs that is configured to forward data to another indexer, and back<BR /> 2. Forwarding of data configured to send to a 3rd party and there is an issue with the upstream system.</P> <P>You could play around with these settings out of outputs.conf, although these are just ideas and may not solve your issue / use case depending on how important it is that you get the data at the 3rd party:</P> <P>dropEventsOnQueueFull = <BR /> * If set to a positive number, wait seconds before throwing out<BR /> all new events until the output queue has space.<BR /> * Setting this to -1 or 0 will cause the output queue to block when it gets<BR /> full, causing further blocking up the processing chain.<BR /> * If any target group's queue is blocked, no more data will reach any other<BR /> target group.<BR /> * Using auto load-balancing is the best way to minimize this condition,<BR /> because, in that case, multiple receivers must be down (or jammed up)<BR /> before queue blocking can occur.<BR /> * Defaults to -1 (do not drop events).<BR /> * DO NOT SET THIS VALUE TO A POSITIVE INTEGER IF YOU ARE MONITORING FILES!</P> <P>dropClonedEventsOnQueueFull = <BR /> * If set to a positive number, do not block completely, but wait up to<BR /> seconds to queue events to a group. If it cannot enqueue to a<BR /> group for more than seconds, begin dropping events for the<BR /> group. It makes sure that at least one group in the cloning configuration<BR /> will get events. It blocks if event cannot be delivered to any of the<BR /> cloned groups.<BR /> * If set to -1, the TcpOutputProcessor will make sure that each group will<BR /> get all of the events. If one of the groups is down, then Splunk will<BR /> block everything.<BR /> * Defaults to 5.</P> <P>Others might recommend to increase the queue size, but if the 3rd party is down for an extended period of time the same issue will occur.</P> <P>You best bet is to figure out why the thrid party system is not taking data and fix that so it is more reliable.</P> Tue, 17 Jan 2017 13:30:31 GMT jwelch_splunk 2017-01-17T13:30:31Z https://community.splunk.com/t5/Getting-Data-In/Forwarding-events-Splunk-stopps-working-when-endpoint-is-not/m-p/231054#M44974 <P>Hello</P> <P>We forward events using the outputs.conf on the indexers:</P> <P><STRONG>outputs.conf</STRONG></P> <PRE><CODE>[tcpout] defaultGroup = default disabled = 0 indexAndForward = 1 [tcpout-server://x.x.x.x:601] [tcpout:default] disabled = 0 server = x.x.x.x:601 sendCookedData = false </CODE></PRE> <P>When the endpoint (x.x.x.x) is not available splunk stopps all listeners:</P> <PRE><CODE>12-21-2016 12:02:45.982 +0100 WARN TcpOutputProc - Write operation timed out for 10.128.16.36:601 in 300 seconds. 12-21-2016 12:02:45.982 +0100 INFO TcpOutputProc - Connected to idx=10.128.16.36:601 12-21-2016 12:02:45.982 +0100 WARN TcpOutputProc - Forwarding to indexer group default blocked for 300 seconds. 12-21-2016 12:02:56.871 +0100 INFO TcpInputProc - Stopping IPv4 port 514 12-21-2016 12:02:56.871 +0100 INFO TcpInputProc - Stopping IPv4 port 1514 12-21-2016 12:02:56.871 +0100 INFO TcpInputProc - Stopping IPv4 port 2514 12-21-2016 12:02:56.871 +0100 INFO TcpInputProc - Stopping IPv4 port 4514 12-21-2016 12:02:56.871 +0100 INFO TcpInputProc - Stopping IPv4 port 5514 12-21-2016 12:02:56.871 +0100 INFO TcpInputProc - Stopping IPv4 port 3514 12-21-2016 12:02:56.871 +0100 INFO TcpInputProc - Stopping IPv4 port 9997 12-21-2016 12:02:56.871 +0100 WARN TcpInputProc - Stopping all listening ports. Queues blocked for more than 300 seconds 12-21-2016 12:03:11.816 +0100 WARN TcpOutputProc - Forwarding to indexer group default blocked for 400 seconds. </CODE></PRE> <P>I don't know why this happens. Any hints?</P> <P>Thanks &amp; Regards<BR /> Nicolas</P> Tue, 17 Jan 2017 12:50:04 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarding-events-Splunk-stopps-working-when-endpoint-is-not/m-p/231054#M44974 nicocin 2017-01-17T12:50:04Z https://community.splunk.com/t5/Getting-Data-In/Forwarding-events-Splunk-stopps-working-when-endpoint-is-not/m-p/231055#M44975 <P>If you take a look at this diagram:</P> <P><A href="https://wiki.splunk.com/Community:HowIndexingWorks">https://wiki.splunk.com/Community:HowIndexingWorks</A> </P> <P>"3. Detail Diagram - Standalone Splunk"</P> <P>You can see how the flow works. When Splunk is unable to communicate with a 3rd party system the queue fills up, which causes us to start filling up in the pipeline going backwards to the point where eventually we no longer accept any new data, as we can't do anything with the data we have.</P> <P>2 of the main reasons why indexers stop indexing is because of:<BR /> 1. We have an indexing loop. E.G. an outputs that is configured to forward data to another indexer, and back<BR /> 2. Forwarding of data configured to send to a 3rd party and there is an issue with the upstream system.</P> <P>You could play around with these settings out of outputs.conf, although these are just ideas and may not solve your issue / use case depending on how important it is that you get the data at the 3rd party:</P> <P>dropEventsOnQueueFull = <BR /> * If set to a positive number, wait seconds before throwing out<BR /> all new events until the output queue has space.<BR /> * Setting this to -1 or 0 will cause the output queue to block when it gets<BR /> full, causing further blocking up the processing chain.<BR /> * If any target group's queue is blocked, no more data will reach any other<BR /> target group.<BR /> * Using auto load-balancing is the best way to minimize this condition,<BR /> because, in that case, multiple receivers must be down (or jammed up)<BR /> before queue blocking can occur.<BR /> * Defaults to -1 (do not drop events).<BR /> * DO NOT SET THIS VALUE TO A POSITIVE INTEGER IF YOU ARE MONITORING FILES!</P> <P>dropClonedEventsOnQueueFull = <BR /> * If set to a positive number, do not block completely, but wait up to<BR /> seconds to queue events to a group. If it cannot enqueue to a<BR /> group for more than seconds, begin dropping events for the<BR /> group. It makes sure that at least one group in the cloning configuration<BR /> will get events. It blocks if event cannot be delivered to any of the<BR /> cloned groups.<BR /> * If set to -1, the TcpOutputProcessor will make sure that each group will<BR /> get all of the events. If one of the groups is down, then Splunk will<BR /> block everything.<BR /> * Defaults to 5.</P> <P>Others might recommend to increase the queue size, but if the 3rd party is down for an extended period of time the same issue will occur.</P> <P>You best bet is to figure out why the thrid party system is not taking data and fix that so it is more reliable.</P> Tue, 17 Jan 2017 13:30:31 GMT https://community.splunk.com/t5/Getting-Data-In/Forwarding-events-Splunk-stopps-working-when-endpoint-is-not/m-p/231055#M44975 jwelch_splunk 2017-01-17T13:30:31Z