<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Why does the indexing rate oscillate between few KBs per second to few MBs per second? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Why-does-the-indexing-rate-oscillate-between-few-KBs-per-second/m-p/444394#M77359</link>
    <description>&lt;P&gt;No, this is not expected.&lt;/P&gt;

&lt;P&gt;If your queues are filling up you have serious problems.&lt;BR /&gt;
I suspect you have issues ingesting the data - probably due to event breaking and timestamp extraction.&lt;/P&gt;

&lt;P&gt;Have you looked in your internal logs to see if anything is reported?&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;index=_internal sourcetype=splunkd source=*splunkd.log log_level=WARN or log_level=ERROR&lt;/CODE&gt;&lt;/P&gt;</description>
    <pubDate>Tue, 19 Mar 2019 11:07:17 GMT</pubDate>
    <dc:creator>nickhills</dc:creator>
    <dc:date>2019-03-19T11:07:17Z</dc:date>
    <item>
      <title>Why does the indexing rate oscillate between few KBs per second to few MBs per second?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-does-the-indexing-rate-oscillate-between-few-KBs-per-second/m-p/444393#M77358</link>
      <description>&lt;P&gt;I deployed Splunk Enterprise edition 7.2.3 and gave it 1 TB data for indexing. The data is available locally. Initially, when the queues(parsing, merging, typing and indexing) are empty, I am getting an index rate of ~2MB per second. But as the queues get filled, the indexing rate drops to a few KBs per second. But from there on the indexing rate keeps increasing and dropping. Also, sometimes, indexing doesn't happen at all when the parsing queue and merging queue are full.  &lt;span class="lia-inline-image-display-wrapper" image-alt="Queue snapshot"&gt;&lt;img src="https://community.splunk.com/t5/image/serverpage/image-id/6716i03D06BD241AE20CB/image-size/large?v=v2&amp;amp;px=999" role="button" title="Queue snapshot" alt="Queue snapshot" /&gt;&lt;/span&gt;&lt;/P&gt;

&lt;OL&gt;
&lt;LI&gt;Is this behavior expected?&lt;/LI&gt;
&lt;LI&gt;How do we achieve consistent indexing rate?&lt;/LI&gt;
&lt;LI&gt;Is increasing parsing queue size a solution? But that will also get filled soon. &lt;/LI&gt;
&lt;/OL&gt;

&lt;P&gt;Note:  20GB license is also added. &lt;/P&gt;</description>
      <pubDate>Tue, 19 Mar 2019 10:59:04 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-does-the-indexing-rate-oscillate-between-few-KBs-per-second/m-p/444393#M77358</guid>
      <dc:creator>swatishs</dc:creator>
      <dc:date>2019-03-19T10:59:04Z</dc:date>
    </item>
    <item>
      <title>Re: Why does the indexing rate oscillate between few KBs per second to few MBs per second?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-does-the-indexing-rate-oscillate-between-few-KBs-per-second/m-p/444394#M77359</link>
      <description>&lt;P&gt;No, this is not expected.&lt;/P&gt;

&lt;P&gt;If your queues are filling up you have serious problems.&lt;BR /&gt;
I suspect you have issues ingesting the data - probably due to event breaking and timestamp extraction.&lt;/P&gt;

&lt;P&gt;Have you looked in your internal logs to see if anything is reported?&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;index=_internal sourcetype=splunkd source=*splunkd.log log_level=WARN or log_level=ERROR&lt;/CODE&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 19 Mar 2019 11:07:17 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-does-the-indexing-rate-oscillate-between-few-KBs-per-second/m-p/444394#M77359</guid>
      <dc:creator>nickhills</dc:creator>
      <dc:date>2019-03-19T11:07:17Z</dc:date>
    </item>
    <item>
      <title>Re: Why does the indexing rate oscillate between few KBs per second to few MBs per second?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-does-the-indexing-rate-oscillate-between-few-KBs-per-second/m-p/444395#M77360</link>
      <description>&lt;P&gt;Oh.. Okay. But won't queue get filled up if the incoming rate is more than indexing rate?&lt;/P&gt;

&lt;P&gt;I am sharing the screenshot of the search query and health error also. Let me know if you have any more queries. &lt;/P&gt;

&lt;P&gt;Error: &lt;A href="https://ibb.co/ZmNtRX7"&gt;https://ibb.co/ZmNtRX7&lt;/A&gt;&lt;BR /&gt;
Search query: &lt;A href="https://ibb.co/wW6dZB5"&gt;https://ibb.co/wW6dZB5&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 19 Mar 2019 11:48:48 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-does-the-indexing-rate-oscillate-between-few-KBs-per-second/m-p/444395#M77360</guid>
      <dc:creator>swatishs</dc:creator>
      <dc:date>2019-03-19T11:48:48Z</dc:date>
    </item>
    <item>
      <title>Re: Why does the indexing rate oscillate between few KBs per second to few MBs per second?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-does-the-indexing-rate-oscillate-between-few-KBs-per-second/m-p/444396#M77361</link>
      <description>&lt;P&gt;In an ideal world all the queues should be at 0% - if any of them are more than a few % it indicates problems.&lt;/P&gt;

&lt;P&gt;Because its the early queues that are full, it suggests the bottleneck is &lt;STRONG&gt;not&lt;/STRONG&gt; with the actual indexing/writing to disk.&lt;/P&gt;</description>
      <pubDate>Tue, 19 Mar 2019 11:52:55 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-does-the-indexing-rate-oscillate-between-few-KBs-per-second/m-p/444396#M77361</guid>
      <dc:creator>nickhills</dc:creator>
      <dc:date>2019-03-19T11:52:55Z</dc:date>
    </item>
    <item>
      <title>Re: Why does the indexing rate oscillate between few KBs per second to few MBs per second?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-does-the-indexing-rate-oscillate-between-few-KBs-per-second/m-p/444397#M77362</link>
      <description>&lt;P&gt;Okay. But in what scenarios can the initial queues be full and indexing queues empty? &lt;/P&gt;</description>
      <pubDate>Tue, 19 Mar 2019 11:57:30 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-does-the-indexing-rate-oscillate-between-few-KBs-per-second/m-p/444397#M77362</guid>
      <dc:creator>swatishs</dc:creator>
      <dc:date>2019-03-19T11:57:30Z</dc:date>
    </item>
    <item>
      <title>Re: Why does the indexing rate oscillate between few KBs per second to few MBs per second?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-does-the-indexing-rate-oscillate-between-few-KBs-per-second/m-p/444398#M77363</link>
      <description>&lt;P&gt;for the reasons i mentioned above - probably timestamp extraction, or line breaking.&lt;/P&gt;

&lt;P&gt;Have you checked in your internal logs?&lt;/P&gt;</description>
      <pubDate>Tue, 19 Mar 2019 12:01:10 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-does-the-indexing-rate-oscillate-between-few-KBs-per-second/m-p/444398#M77363</guid>
      <dc:creator>nickhills</dc:creator>
      <dc:date>2019-03-19T12:01:10Z</dc:date>
    </item>
    <item>
      <title>Re: Why does the indexing rate oscillate between few KBs per second to few MBs per second?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-does-the-indexing-rate-oscillate-between-few-KBs-per-second/m-p/444399#M77364</link>
      <description>&lt;P&gt;I think you are right. I checked splunkd.logs.&lt;BR /&gt;
It is scattered with messages "&lt;EM&gt;WARN  AggregatorMiningProcessor - Breaking event because limit of 256 has been exceeded&lt;/EM&gt;".  Found a possible reason here: &lt;A href="https://answers.splunk.com/answers/141721/error-in-splunkd-log-breaking-event-because-limit-of-256-has-been-exceeded.html"&gt;https://answers.splunk.com/answers/141721/error-in-splunkd-log-breaking-event-because-limit-of-256-has-been-exceeded.html&lt;/A&gt;. &lt;/P&gt;

&lt;P&gt;Correct me if I am wrong here. I think the data itself causing the issue. The parser is spending too much time breaking the event that it is not able to send data to the indexing queues and also leading to the parsing queues being filled up. &lt;/P&gt;

&lt;P&gt;As suggested in one of the comments in the above link, will changing the MAX_EVENTS=10000 resolve the issue? &lt;/P&gt;</description>
      <pubDate>Tue, 19 Mar 2019 12:18:18 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-does-the-indexing-rate-oscillate-between-few-KBs-per-second/m-p/444399#M77364</guid>
      <dc:creator>swatishs</dc:creator>
      <dc:date>2019-03-19T12:18:18Z</dc:date>
    </item>
    <item>
      <title>Re: Why does the indexing rate oscillate between few KBs per second to few MBs per second?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-does-the-indexing-rate-oscillate-between-few-KBs-per-second/m-p/444400#M77365</link>
      <description>&lt;P&gt;Exactly the cause, but changing the limits will make your problem even worse!&lt;BR /&gt;
Don't do this!&lt;/P&gt;

&lt;P&gt;You need to fix the breaking issue by applying the correct settings in props.conf for your log format.&lt;/P&gt;</description>
      <pubDate>Tue, 19 Mar 2019 12:22:46 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-does-the-indexing-rate-oscillate-between-few-KBs-per-second/m-p/444400#M77365</guid>
      <dc:creator>nickhills</dc:creator>
      <dc:date>2019-03-19T12:22:46Z</dc:date>
    </item>
    <item>
      <title>Re: Why does the indexing rate oscillate between few KBs per second to few MBs per second?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-does-the-indexing-rate-oscillate-between-few-KBs-per-second/m-p/444401#M77366</link>
      <description>&lt;P&gt;Also from the logs, it seems like those warnings crops up only for .gz files. What I think is that Splunk is not decompressing it and taking the compressed content as one single event. But shouldn't Splunk take care of uncompressing the data before indexing it? Do I need to specify in the data input type as well? But the input data is a mixture of compressed logs and text log files. &lt;/P&gt;</description>
      <pubDate>Tue, 26 Mar 2019 06:45:18 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-does-the-indexing-rate-oscillate-between-few-KBs-per-second/m-p/444401#M77366</guid>
      <dc:creator>swatishs</dc:creator>
      <dc:date>2019-03-26T06:45:18Z</dc:date>
    </item>
  </channel>
</rss>

