https://community.splunk.com/t5/Getting-Data-In/How-to-resolve-quot-TcpOutputProc-Queue-for-group-ICSRouting/m-p/291746#M55583 <P>So till now my research indicates that it may be related to the tcp session timeout on the firewall in between my HF and the remote syslog. to be continued...</P> Mon, 03 Apr 2017 16:38:50 GMT sassens1 2017-04-03T16:38:50Z https://community.splunk.com/t5/Getting-Data-In/How-to-resolve-quot-TcpOutputProc-Queue-for-group-ICSRouting/m-p/291744#M55581 <P>Hello,</P> <P>We use a Heavy Forwarder (HF) to forward CheckPoint logs to an external third-party SIEM using the TCP protocol.<BR /> I have noticed from time to time this kind of errors:</P> <PRE><CODE>01-25-2017 15:47:44.071 +0100 INFO TcpOutputProc - Queue for group ICSRouting-checkpoint has stopped dropping events 01-25-2017 15:47:44.688 +0100 WARN TcpOutputProc - Queue for group ICSRouting-checkpoint has begun dropping events </CODE></PRE> <P>just a few milliseconds of failure?<BR /> I checked my queue size which seems ok:</P> <PRE><CODE>02-08-2017 20:57:22.077 +0100 INFO Metrics - group=queue, ingest_pipe=0, name=tcpout_icsrouting-checkpoint, max_size=512000 </CODE></PRE> <P>However I'm not sure my parsing queue is big enough if I rely on the largest_size &gt; max_size_kb:</P> <PRE><CODE>02-08-2017 20:59:26.082 +0100 INFO Metrics - group=queue, ingest_pipe=1, name=parsingqueue, max_size_kb=6144, current_size_kb=0, current_size=0, largest_size=7494, smallest_size=0 </CODE></PRE> <P>I don't have any alert from the Distributed Management Console (DMC), CPU/MEM are fine, anything else I should look at?<BR /> Could it be the third party syslog that is not handling all the traffic and cannot ack every packet my HF transmits?</P> Tue, 29 Sep 2020 12:48:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-resolve-quot-TcpOutputProc-Queue-for-group-ICSRouting/m-p/291744#M55581 sassens1 2020-09-29T12:48:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-resolve-quot-TcpOutputProc-Queue-for-group-ICSRouting/m-p/291745#M55582 <P>no one? <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P> Tue, 14 Mar 2017 10:53:52 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-resolve-quot-TcpOutputProc-Queue-for-group-ICSRouting/m-p/291745#M55582 sassens1 2017-03-14T10:53:52Z https://community.splunk.com/t5/Getting-Data-In/How-to-resolve-quot-TcpOutputProc-Queue-for-group-ICSRouting/m-p/291746#M55583 <P>So till now my research indicates that it may be related to the tcp session timeout on the firewall in between my HF and the remote syslog. to be continued...</P> Mon, 03 Apr 2017 16:38:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-resolve-quot-TcpOutputProc-Queue-for-group-ICSRouting/m-p/291746#M55583 sassens1 2017-04-03T16:38:50Z https://community.splunk.com/t5/Getting-Data-In/How-to-resolve-quot-TcpOutputProc-Queue-for-group-ICSRouting/m-p/291747#M55584 <P>did this end up being the cause of your issues?</P> Tue, 22 Aug 2017 20:46:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-resolve-quot-TcpOutputProc-Queue-for-group-ICSRouting/m-p/291747#M55584 dflodstrom 2017-08-22T20:46:14Z https://community.splunk.com/t5/Getting-Data-In/How-to-resolve-quot-TcpOutputProc-Queue-for-group-ICSRouting/m-p/291748#M55585 <P>@sassens1 Did you find out the root cause that caused this issue?</P> Thu, 13 Dec 2018 18:16:34 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-resolve-quot-TcpOutputProc-Queue-for-group-ICSRouting/m-p/291748#M55585 vsingla1 2018-12-13T18:16:34Z https://community.splunk.com/t5/Getting-Data-In/How-to-resolve-quot-TcpOutputProc-Queue-for-group-ICSRouting/m-p/291749#M55586 <P>Is this issue still outstanding? We are having the same issue. Any possible solution? thanks</P> Wed, 07 Aug 2019 12:02:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-resolve-quot-TcpOutputProc-Queue-for-group-ICSRouting/m-p/291749#M55586 marlongarcia 2019-08-07T12:02:05Z