Now i checked i saw everything in 0 their , do i need to check when the issue comes again , and if its the case how can i clear those ?

You can't clear the queues. They are there to avoid a total Splunk crash and serve as a buffer that will get filled and emptied according to data flow rate and processing capacity. If you see that queues are full when you stop receiving events or are receiving too few events, then it is time for evaluation.

Maybe you have not adequate machines to ingest that amount of data, but I'm purely speculating. Check the indicators in the queues, and resource in general for your indexer layer to see if it is overflowing.

ok got it apart from it is their any other issues where we will point out the delay ?

I'd say it has to be resource consumption, either queues filling up, RAM or CPUs, or even your network not coping with the volume, all that can be analyzed in the Monitoring Console

Hi tiago , i checked again the issue came , the quefill ratio everything looks good but dont know why logging sometimes stopped then after restart of the indexer all stucked logs came is it due to less logging volume ?

ok thanks tiago i will monitor when net time this issue will comes up.