https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337312#M62311 <P>Do you have an outputs.conf on your SH that forwards its logs to your indexers?</P> Fri, 28 Jul 2017 20:11:30 GMT esix_splunk 2017-07-28T20:11:30Z https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337303#M62302 <P>Hey Guys,</P> <P>So, I've got a weird one. According to my monitoring console, the indexing queues on my search head are all pegged at 100%, and have been for a long time. The thing is, nothing's indexing on the thing. It's forwarding internal logs to my indexers, and I'm not running any Summary indexes on it.</P> <P>Is there a way to figure out what's blocking it up? It's not a huge priority beyond the fact that the system is slow compared to other search heads, and that my boss wants to figure out why it's flagging; partially for academic reasons. Only thing I really have to go on is that on the search head, it's showing my corporate_security role with read access when I check the Introspection API; something that's not on any other system including other search heads.</P> <P>Note, I don't have a Search Head cluster, but I am running a clustered pair of Indexers.</P> Fri, 28 Jul 2017 17:45:39 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337303#M62302 Haybuck15 2017-07-28T17:45:39Z https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337304#M62303 <P>any errors or warning in internal index for that particular search head?</P> Fri, 28 Jul 2017 19:33:52 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337304#M62303 adonio 2017-07-28T19:33:52Z https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337305#M62304 <P>Nope, none whatsoever. In fact, the largest index on that search head is 3 MB; and that's only because it did some self-indexing before I configured it when it was originally stood up.</P> Fri, 28 Jul 2017 19:39:52 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337305#M62304 Haybuck15 2017-07-28T19:39:52Z https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337306#M62305 <P>the search head outputs its data<BR /> try and search;</P> <PRE><CODE>index = _ internal host = "yourQueuedSearchHead" log_level = warn* OR log_level = error </CODE></PRE> <P>any results</P> Fri, 28 Jul 2017 19:41:57 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337306#M62305 adonio 2017-07-28T19:41:57Z https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337307#M62306 <P>So, it looks like the search is coming back empty, however I can do the same for every other instance of Splunk in the deployment. Is it possible that the indexing queues would fill up if it can't forward its internal logs? I mean, I wouldn't think so.</P> Fri, 28 Jul 2017 19:45:28 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337307#M62306 Haybuck15 2017-07-28T19:45:28Z https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337308#M62307 <P>wild guess here,<BR /> check available disk space on this particular search head<BR /> if theres no space, or very minimal it can prevent splunk from indexing locally and sending the data from the search heads to indexers layer</P> Fri, 28 Jul 2017 19:50:46 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337308#M62307 adonio 2017-07-28T19:50:46Z https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337309#M62308 <P>296 GB / 299 GB Free, so that's not it.</P> Fri, 28 Jul 2017 19:52:38 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337309#M62308 Haybuck15 2017-07-28T19:52:38Z https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337310#M62309 <P>There's a typo in adonio's search.</P> <PRE><CODE>index = _internal host = "yourQueuedSearchHead" log_level = warn* OR log_level = error </CODE></PRE> Fri, 28 Jul 2017 19:55:15 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337310#M62309 jkat54 2017-07-28T19:55:15Z https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337311#M62310 <P>I typed it by hand, I didn't copy paste it, so that's not the issue. Just doing the below search pulls back nothing.</P> <P>index=_* host="yourQueuedSearchHead"</P> Fri, 28 Jul 2017 20:03:33 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337311#M62310 Haybuck15 2017-07-28T20:03:33Z https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337312#M62311 <P>Do you have an outputs.conf on your SH that forwards its logs to your indexers?</P> Fri, 28 Jul 2017 20:11:30 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337312#M62311 esix_splunk 2017-07-28T20:11:30Z https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337313#M62312 <P>Yes, yes I do. I in fact have one on every Splunk system in the environment that's not a Universal Forwarder.</P> Fri, 28 Jul 2017 20:13:14 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337313#M62312 Haybuck15 2017-07-28T20:13:14Z https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337314#M62313 <P>May be you can try clearing dispatch directory or increase indexingqueue size.</P> Fri, 28 Jul 2017 20:45:00 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337314#M62313 sbbadri 2017-07-28T20:45:00Z https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337315#M62314 <P>Are you replacing "yourQueuedSearchHead" with the host name of your queued search head?</P> Fri, 28 Jul 2017 21:30:43 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337315#M62314 jkat54 2017-07-28T21:30:43Z https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337316#M62315 <P>Are ports/ACL/routes in place to allow for your Search Head to send to your indexers (9997/9998)?</P> Sun, 30 Jul 2017 04:17:05 GMT https://community.splunk.com/t5/Getting-Data-In/Why-are-indexing-queues-full-on-the-search-head-but-nothing-has/m-p/337316#M62315 woodcock 2017-07-30T04:17:05Z