Deployment Architecture

How to resolve issue after updating HF: 'Indicator 'ingestion_latency_gap_multiplier' exceeded configured value...'?

SplunkforBektas
Engager

Hi everyone, 

After upgrading heavyforwarder to ver 9 , we've  encountered following error "Indicator 'ingestion_latency_gap_multiplier' exceeded configured value. The observed value is 1219. Message from 60F7CA48-C86F-47AD-B6EF-0B79273913A8:172.20.161.1:55892" .  Could you please assist to resolve the issue ?

Labels (1)

youngsuh
Contributor

I started having the issue after upgrade 9.0.3.  Did you ever resolve?

0 Karma

humrish_b
Explorer

Hi All,

 

We have also started observing this error after upgrade to 9.0.1, in few forums it was discussed that it will resolved in next Splunk version 9.0.2. Now we have upgraded all our Splunk to 9.0.2 but still we observing this error in our Splunk instances.

If anyone has found any solutions kindly let us know.

0 Karma

bahlgrim
New Member

Forgot to add the error:  "the health indicator "ingestion_latency_indexer_health" is red due to the following: "Indicator 'ingestion_latency_gap_multiplier' exceeded configured value."

0 Karma

foxtrade
Observer

Just synchronize the time zone of your machines. Because splunk think there is a delay in the transmission of your data

0 Karma

jbcharvetmatric
Explorer

Same problem here with few differences :

- errors start occuring after upgrading to Splunk9 all instances except UF

- half of UF are Splunk8.2, other half 9.0

 

  • Root Cause(s): :
    • Indicator 'ingestion_latency_gap_multiplier' exceeded configured value. The observed value is 15116027. Message from <guid of i-don't-know-what maybe a UF>:<ip of i-don't-know-what>:63981
    • Indicator 'ingestion_latency_gap_multiplier' exceeded configured value. The observed value is 1109533. Message from <an other guid of i-don't-know-what>:<an other ip of i-don't-know-what>:61771
  • Unhealthy Instances:
    • indexer 1 of site 1
    • indexer 2 of site 1 (cluster of 4 indexers on 2 site in total)

     

 

 

I'm investigating, if I fin'd info or the solution I'll comment here! Good luck with your searches!

0 Karma

sirajnp
Path Finder

Hi,

 

Did you find any solution for this?

0 Karma

SplunkforBektas
Engager

no

0 Karma

bahlgrim
New Member

Has anyone found a solution to this? I'm seeing he same problem after upgrading indexers and search head to 9.0.1. Our UF's are at v8.0.3. Those are about to be upgraded after we fix the forwarding problem (also caused by upgrade).

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...