Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Does Splunk have a precedence for what logs to forwarder first?

EatMoreChicken
Explorer
‎02-11-2022 08:27 AM

If I had logs for the `_internal` index and logs for a `linux_os` index on a Heavy Forwarder, does the HF prioritize the `linux_os` index data prior to the `_internal` data on the host? Is there any precedence for data Splunk is monitoring?  Does Indexers have a precedence for what kind of data to index first?

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-12-2022 03:53 AM

There is a question of what do you mean by priority because there are at least two different situations whent it might make a difference.

One is a question which data is getting enqueued and/or transmitted first when the forwarder cannot send the data with full speed (receiving party stalling or thruput limits). And here indeed _internal logs might be prioritized. But to be fully honest, I don't see a good reason for that. After all those are only normal monitor inputs watching files in $SPLUNK_HOME/var/log/splunkd

But another situation is if you (re)start the forwarder and it has to restart all inputs which means it has to re-examine all monitored files, re-read them and so in. In this case - from my experience - there is definitely no _internal priority. I had many situations with UF's monitoring huge sets of files that I would have to wait up to several hours for my _internal events after restart.

Reply

gcusello
SplunkTrust
SplunkTrust
‎02-11-2022 08:32 AM

Hi @EatMoreChicken,

for my knowledge, it isn't possible define a priority between logs, with the only exception on the Splunk internal logs.

So, in your case linux_os logs are surely sent before _internal, but it isn't possible to prioritize linux_os respect wineventlog.

Ciao.

Giuseppe

Reply

EatMoreChicken
Explorer
‎02-11-2022 11:54 AM

Gotcha, that's exactly what I was seeing. `_internal` logs were consistently coming in after other logs, so just wanted to make sure. Would you happen to know of any Splunk docs documenting this? Just wondering.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-11-2022 10:31 PM

Hi @EatMoreChicken,

why you're wondering? it's a logical behavior.

I searched some doc about this but Ididn't find it soon, sorry.

Ciao.

Giuseppe

Reply

EatMoreChicken
Explorer
‎02-18-2022 06:00 AM

Just wanted to have some concrete documentation around it in the event someone else asks me.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...