i am using HEC tokens to collect the logs from servers. Sometimes we are firing the events but the events is not coming to splunk. We have one indexer and our all tokens are managed on the indexer only. The moment we restart the indexer , all the logs will comes up frequently. If we dont restart we are not getting logs sending from HEC Tokens ?
what is the issue , how can i fix it ? why most of the time only a restart is pulling the logs ?
I'd check the monitoring console for queues getting filled up on your indexers. When you restart, they get cleaned up so maybe that's a reason for it.
Check queue fill ratio in Indexer Performance of Monitoring Console
I'd check the monitoring console for queues getting filled up on your indexers. When you restart, they get cleaned up so maybe that's a reason for it.
Check queue fill ratio in Indexer Performance of Monitoring Console
Now i checked i saw everything in 0 their , do i need to check when the issue comes again , and if its the case how can i clear those ?
You can't clear the queues. They are there to avoid a total Splunk crash and serve as a buffer that will get filled and emptied according to data flow rate and processing capacity. If you see that queues are full when you stop receiving events or are receiving too few events, then it is time for evaluation.
Maybe you have not adequate machines to ingest that amount of data, but I'm purely speculating. Check the indicators in the queues, and resource in general for your indexer layer to see if it is overflowing.
ok got it apart from it is their any other issues where we will point out the delay ?
I'd say it has to be resource consumption, either queues filling up, RAM or CPUs, or even your network not coping with the volume, all that can be analyzed in the Monitoring Console
Hi tiago , i checked again the issue came , the quefill ratio everything looks good but dont know why logging sometimes stopped then after restart of the indexer all stucked logs came is it due to less logging volume ?
ok thanks tiago i will monitor when net time this issue will comes up.