https://community.splunk.com/t5/Getting-Data-In/delayed-logs/m-p/522577#M88263 <P>In a previous post you suggested that I check that it will have a minimum IOPS, after checking, the disk has more than 800, it even has double.&nbsp;</P> Thu, 01 Oct 2020 19:12:16 GMT splunkcol 2020-10-01T19:12:16Z https://community.splunk.com/t5/Getting-Data-In/delayed-logs/m-p/522511#M88236 <P>I have a problem with the logs, they are arriving with a delay of 12 hours or more</P><P>The information first reaches a syslog server and is forwarded to the indexers</P><P>When reviewing the logs in the syslog servers I find that they arrive without problem and with the correct date and time</P><P>when I go to the indexers or search heads to look at the logs I see that they have a delay of 12 hours or more</P><P>&nbsp;</P><P>With this document I have tried to diagnose the problem but I cannot find the same panels that ask to review the document</P><P>in the part where it is suggested to check with the command iostat -zx 1 one of the parameters are in the values ​​cataloged as bad</P><P><A href="https://www.splunk.com/pdfs/technical-briefs/disk-diagnosis-digging-deep-with-monitoring-console-and-more.pdf" target="_blank" rel="noopener">https://www.splunk.com/pdfs/technical-briefs/disk-diagnosis-digging-deep-with-monitoring-console-and-more.pdf</A></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunkcol_1-1601562510064.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/11076iA9ADACD4A916C2A0/image-size/medium?v=v2&amp;px=400" role="button" title="splunkcol_1-1601562510064.png" alt="splunkcol_1-1601562510064.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="splunkcol_0-1601561959333.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/11075iD935EDC35D6C83B7/image-size/large?v=v2&amp;px=999" role="button" title="splunkcol_0-1601561959333.png" alt="splunkcol_0-1601561959333.png" /></span><SPAN>What else should I check?</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunkcol_2-1601562619818.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/11077i87E365F595AC68C1/image-size/large?v=v2&amp;px=999" role="button" title="splunkcol_2-1601562619818.png" alt="splunkcol_2-1601562619818.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 01 Oct 2020 14:34:44 GMT https://community.splunk.com/t5/Getting-Data-In/delayed-logs/m-p/522511#M88236 splunkcol 2020-10-01T14:34:44Z https://community.splunk.com/t5/Getting-Data-In/delayed-logs/m-p/522513#M88237 How you are reading and forwarding those logs from syslog server? One issue could be that if/when you are using UF, you are hitting is't max default capacity?<BR />This is good starting point for looking this issue: <A href="https://conf.splunk.com/files/2019/slides/FN1570.pdf" target="_blank">https://conf.splunk.com/files/2019/slides/FN1570.pdf</A><BR />r. Ismo Thu, 01 Oct 2020 14:39:26 GMT https://community.splunk.com/t5/Getting-Data-In/delayed-logs/m-p/522513#M88237 isoutamo 2020-10-01T14:39:26Z https://community.splunk.com/t5/Getting-Data-In/delayed-logs/m-p/522569#M88259 <P>yes, the syslog server receives the logs and forwards them to the indexers using UF</P><P>I understand that the cause of the queuing is typingqueue?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunkcol_0-1601577492282.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/11084i824946B85BCAD173/image-size/large?v=v2&amp;px=999" role="button" title="splunkcol_0-1601577492282.png" alt="splunkcol_0-1601577492282.png" /></span></P><P>&nbsp;</P> Thu, 01 Oct 2020 18:42:41 GMT https://community.splunk.com/t5/Getting-Data-In/delayed-logs/m-p/522569#M88259 splunkcol 2020-10-01T18:42:41Z https://community.splunk.com/t5/Getting-Data-In/delayed-logs/m-p/522575#M88261 In your first message it shows that your disk io utilization is 100%. This means that it cannot handle more traffic without adding more disk to get more performance.<BR />What kind of disk you have and what is amount of your daily/peak indexing volume? Thu, 01 Oct 2020 19:02:15 GMT https://community.splunk.com/t5/Getting-Data-In/delayed-logs/m-p/522575#M88261 isoutamo 2020-10-01T19:02:15Z https://community.splunk.com/t5/Getting-Data-In/delayed-logs/m-p/522577#M88263 <P>In a previous post you suggested that I check that it will have a minimum IOPS, after checking, the disk has more than 800, it even has double.&nbsp;</P> Thu, 01 Oct 2020 19:12:16 GMT https://community.splunk.com/t5/Getting-Data-In/delayed-logs/m-p/522577#M88263 splunkcol 2020-10-01T19:12:16Z https://community.splunk.com/t5/Getting-Data-In/delayed-logs/m-p/522580#M88265 Splunk’s requirements is minimum 800 IOPS per disk to working. But it’s just minimum. Reality is totally dependent how much you are ingesting and what kind of query load you have. Here is link to reference hardware <A href="https://docs.splunk.com/Documentation/Splunk/8.0.6/Capacity/Referencehardware" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.6/Capacity/Referencehardware</A> Thu, 01 Oct 2020 19:21:19 GMT https://community.splunk.com/t5/Getting-Data-In/delayed-logs/m-p/522580#M88265 isoutamo 2020-10-01T19:21:19Z