Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Blockage of Queue

vishaltaneja070
Motivator
‎09-26-2019 12:47 AM

Hello All,

Some of the queues are getting blocked in Splunk. Need help to solve it.
alt text

Preview file
1 KB
0 Karma
Reply

user789
New Member
‎02-10-2020 06:09 AM

How did you generate this? I would like to do the same thing.

0 Karma
Reply

harsmarvania57
SplunkTrust
SplunkTrust
‎09-26-2019 03:30 AM

Hi,

While looking at graph, your indexing queue is blocking continuously but percentage is low, for that you are hitting IOPS issue. Have a look at very good white paper created by @dpaper_splunk for disk diagnostics.

For parsing and Aggregation queue, it looks like due to full aggregation queue & back-pressure, parsing queue also filled 100%. I'll suggest you to find which host,source ingested more data during that time and see any splunkd.log warning or error during same time like: timestamp parsing issue. Have a look at detailed pipeline diagram on https://wiki.splunk.com/Community:HowIndexingWorks and if possible configure TIMESTAMP parameter for larger datasets so that splunk parse those data quickly which will help to remediate blocking queue issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...