Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunkforwarder 6.1.4 blocks and unable to self-recover "TailingProcessor - Could not send data to output queue (parsingQueue), retrying..."

the_wolverine
Champion
‎02-28-2017 11:53 AM

Seen in splunk.log repeatedly (nothing else)

TailingProcessor - Could not send data to output queue (parsingQueue), retrying...

Our forwarders seem to get blocked occasionally and are unable to recover. We've found them in this state for days sometimes, and due to block, we don't get the internal logs in Splunk to detect this condition.

Files monitored:
maybe 50-100 files, 10 active files, rolled files ~100MB each at rotation.

A restart of the splunkforwarder resolves the issue.

Reply

woodcock
Esteemed Legend
‎03-01-2017 07:35 AM

If what @ddrillic (@lguinn) said is the problem; here is another way out:

https://answers.splunk.com/answers/309910/how-to-monitor-a-folder-for-newest-files-only-file.html

0 Karma
Reply

ddrillic
Ultra Champion
‎03-01-2017 06:54 AM

The question is whether they are being blocked at the forwarder level or at the indexer level.

Cheerful discussion at Could not send data to output queue (parsingQueue)

@lguinn explained and said -

alt text

Preview file
1 KB
0 Karma
Reply

the_wolverine
Champion
‎03-01-2017 09:50 AM

There are maybe 50-100 (100MB) files so this is not the issue. Also, it is forwarder-specific .. as in a handful of forwarders get blocked and never recover on their own.

Occasional blocking at the indexer is normal and recovers. But am seeing ceilings being hit, but indexer recovers .. but the forwarder does not for many days before I detect it. Restarting the splunkforwarder resolves it.

0 Karma
Reply

ben_leung
Builder
‎02-28-2017 02:40 PM

Is it just parsing queue thats blocked?

0 Karma
Reply

woodcock
Esteemed Legend
‎02-28-2017 12:12 PM

I don't know what is causing it but you can turn on an alert inside the (Deployment) Monitoring Console to alert you to Missing Forwarders. If you can cannot find it, run the Health Checks and look for bread crumbs there.

0 Karma
Reply

woodcock
Esteemed Legend
‎02-28-2017 12:13 PM

Also, upgrade to the latest forwarder version of Splunk; I find that forwarders often run VERY far behind in versions, which is not good.

0 Karma
Reply

the_wolverine
Champion
‎02-28-2017 02:34 PM

Yeah, we're planning on upgrading soon as assuming this is an undocumented bug at this point.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...