All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Spluk Addon for AWS

ajith_sukumaran
Explorer
‎11-15-2019 08:55 AM

Hello

The addon configured for AWS runs form 3 HFs to get the data from SQS queue, however on the SQS, the Messages Available" grows to 999K+ and is not getting cleared. "Messages in Flight" appears to be around 30

Tried to increase the interval to 20 secs on the CloudTrail Input to see if that helps, but it did not.
The Queue still grows, dont see any errors on the splunk_ta_aws_cloudtrail_main.log

"processing 20 records in s3:logs*/AWSLogs/..json.gz"
"fetched 20 records, wrote 20, discarded 0, redirected 0 from s3:logs/AWSLogs/*..json.gz"

Any suggestions on how to ensure the Queue is read to clear the Messages Available

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

KranthiGhanta
Engager
‎12-05-2019 09:52 AM

Hi @ajith_sukumaran ,

In order to avoid the situation of SQS getting clogged , use more input pipelines from the HF on the same SQS (on the existing inputs, select clone and change the polling period to 90seconds), once the sqs queue is grabbed by one consumer(input) it will not be available for other , so you are increasing the ingestion levels by this method, you can grow as big as you want but make sure your HF resources are not fully throttled by the input processing. ( as its parallel processing)

hope this helps , thanks

View solution in original post

Reply
Solved! Jump to solution
Solution

KranthiGhanta
Engager
‎12-05-2019 09:52 AM

Hi @ajith_sukumaran ,

In order to avoid the situation of SQS getting clogged , use more input pipelines from the HF on the same SQS (on the existing inputs, select clone and change the polling period to 90seconds), once the sqs queue is grabbed by one consumer(input) it will not be available for other , so you are increasing the ingestion levels by this method, you can grow as big as you want but make sure your HF resources are not fully throttled by the input processing. ( as its parallel processing)

hope this helps , thanks

Reply
Solved! Jump to solution

ajith_sukumaran
Explorer
‎12-05-2019 10:18 AM

Thanks. This is exactly the suggested solution later found out from Splunk too.
Thus the config would look as:
eg:

[aws_cloudtrail://AWSCloudTrailData]

sqs_queue = AWS-Splunk

[aws_cloudtrail://AWSCloudTrailData0]

sqs_queue = AWS-Splunk

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...