Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does Splunk have a precedence for what logs to forwarder first?

EatMoreChicken
Explorer
‎02-11-2022 08:27 AM

If I had logs for the `_internal` index and logs for a `linux_os` index on a Heavy Forwarder, does the HF prioritize the `linux_os` index data prior to the `_internal` data on the host? Is there any precedence for data Splunk is monitoring?  Does Indexers have a precedence for what kind of data to index first?

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-12-2022 03:53 AM

There is a question of what do you mean by priority because there are at least two different situations whent it might make a difference.

One is a question which data is getting enqueued and/or transmitted first when the forwarder cannot send the data with full speed (receiving party stalling or thruput limits). And here indeed _internal logs might be prioritized. But to be fully honest, I don't see a good reason for that. After all those are only normal monitor inputs watching files in $SPLUNK_HOME/var/log/splunkd

But another situation is if you (re)start the forwarder and it has to restart all inputs which means it has to re-examine all monitored files, re-read them and so in. In this case - from my experience - there is definitely no _internal priority. I had many situations with UF's monitoring huge sets of files that I would have to wait up to several hours for my _internal events after restart.

Reply

gcusello
SplunkTrust
SplunkTrust
‎02-11-2022 08:32 AM

Hi @EatMoreChicken,

for my knowledge, it isn't possible define a priority between logs, with the only exception on the Splunk internal logs.

So, in your case linux_os logs are surely sent before _internal, but it isn't possible to prioritize linux_os respect wineventlog.

Ciao.

Giuseppe

Reply

EatMoreChicken
Explorer
‎02-11-2022 11:54 AM

Gotcha, that's exactly what I was seeing. `_internal` logs were consistently coming in after other logs, so just wanted to make sure. Would you happen to know of any Splunk docs documenting this? Just wondering.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-11-2022 10:31 PM

Hi @EatMoreChicken,

why you're wondering? it's a logical behavior.

I searched some doc about this but Ididn't find it soon, sorry.

Ciao.

Giuseppe

Reply

EatMoreChicken
Explorer
‎02-18-2022 06:00 AM

Just wanted to have some concrete documentation around it in the event someone else asks me.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...