Hi Livehybrid

This pipelines configurations came from a splunk PS.

I understand the risk to loose 1 Gb of data if this forwarder goes down ! Thank you !

About the datas, all data is coming from upstreams forwarder. This is raw data (Firewall, DNS ...) and structured data as json entries.

The connectivity between f<dr and indexer is VPN (350 Mbps throughput for each forwarder).

 

A last point, i missed to wrote in my first post, We are in "y" double output  because we are mooving from one platform to a new one and during 1 month, we have to send data over the two platforms.

 

 

 

When you have more than one target where you are sending then if any of those will blocked the traffic then all traffic will be blocked quite soon after that. Basically after blocked targets queue is full then all other targets will be blocked. This is default behavior of splunk. There are two options which you could change to change this behavior but it means that probability of lost some event will increase.

Hi @_olivier_ 

I certainly don't doubt my PS colleagues in their recommendations, as they will certainly have more information that I do about this particular set up, but wanted to make sure you knew about the queue etc.

If its helpful, there is a really good explanation of pipelines at https://community.splunk.com/t5/Getting-Data-In/How-many-pipelines-should-I-use-on-a-forwarder/m-p/4... which is worth a read. 

Interesting that you say about sending to two platforms, as it does sound like congestion outbound from the UF rather than an actual issue with the parsing part of the pipeline. It might be worth (if possible) monitoring the network egress to confirm its not hitting a ceiling, and also check if either of the two outputs are blocking (Check the _internal logs in both platforms for "TcpOutputProc" errors.

Another resource worth checking is https://conf.splunk.com/files/2019/slides/FN1570.pdf which might also help.

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Thanks for the links, I gona read them and check logs for output errors.

You definitely should read what Harendra said!

Hi isoutamo, 

 

In the splunk doc, the is the description for in an out pipelines : 

"When you enable multiple pipeline sets on a forwarder, each pipeline handles both data input and output."

 

Are you sure that only one line pipeline is affectied to input processor ?

 

 

What I have read and understand based on many discussions is that even there is several pipelines those all share only one input part. I have gotten understanding that there is one input and pipelines start after that and it’s possible that this inputs will be blocked which also blocks other pipelines.

OK, this is the explanation of the connexions refused when one pipeline queue get blocked.

Thanks,

Now, I have to understand why i've got pipelines queues blocked.

 

 

Usually process is that start to look from right to left and find first blocked / queue which is full. Then look the next processor of right hand side. Usually issue is there.