All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Spluk Addon for AWS

ajith_sukumaran
Explorer
‎11-15-2019 08:55 AM

Hello

The addon configured for AWS runs form 3 HFs to get the data from SQS queue, however on the SQS, the Messages Available" grows to 999K+ and is not getting cleared. "Messages in Flight" appears to be around 30

Tried to increase the interval to 20 secs on the CloudTrail Input to see if that helps, but it did not.
The Queue still grows, dont see any errors on the splunk_ta_aws_cloudtrail_main.log

"processing 20 records in s3:logs*/AWSLogs/..json.gz"
"fetched 20 records, wrote 20, discarded 0, redirected 0 from s3:logs/AWSLogs/*..json.gz"

Any suggestions on how to ensure the Queue is read to clear the Messages Available

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

KranthiGhanta
Engager
‎12-05-2019 09:52 AM

Hi @ajith_sukumaran ,

In order to avoid the situation of SQS getting clogged , use more input pipelines from the HF on the same SQS (on the existing inputs, select clone and change the polling period to 90seconds), once the sqs queue is grabbed by one consumer(input) it will not be available for other , so you are increasing the ingestion levels by this method, you can grow as big as you want but make sure your HF resources are not fully throttled by the input processing. ( as its parallel processing)

hope this helps , thanks

View solution in original post

Reply
Solved! Jump to solution
Solution

KranthiGhanta
Engager
‎12-05-2019 09:52 AM

Hi @ajith_sukumaran ,

In order to avoid the situation of SQS getting clogged , use more input pipelines from the HF on the same SQS (on the existing inputs, select clone and change the polling period to 90seconds), once the sqs queue is grabbed by one consumer(input) it will not be available for other , so you are increasing the ingestion levels by this method, you can grow as big as you want but make sure your HF resources are not fully throttled by the input processing. ( as its parallel processing)

hope this helps , thanks

Reply
Solved! Jump to solution

ajith_sukumaran
Explorer
‎12-05-2019 10:18 AM

Thanks. This is exactly the suggested solution later found out from Splunk too.
Thus the config would look as:
eg:

[aws_cloudtrail://AWSCloudTrailData]

sqs_queue = AWS-Splunk

[aws_cloudtrail://AWSCloudTrailData0]

sqs_queue = AWS-Splunk

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...