Solved: Does an indexer write its queues to disk when we s...

ddrillic · ‎12-30-2017

I wonder whether the contents of the Indexing queue is being written to disk when we shut down the indexer? Also, what happens to the content in the previous queues - Parsing, Aggregation and Typing queues?

micahkemp · ‎12-31-2017

I tried to find this in documentation (or at least another answers post) to refer to with specifics, but the general answer is Slunk will stop its inputs (monitor, splunktcp, script, etc) first, then wait for its queues to empty by being fully processed before stopping splunkd.

I wouldn't consider that "writing its queues to disk", instead it's more "stop adding to the queues and let them clear on their own".

View solution in original post

micahkemp · ‎12-31-2017

I tried to find this in documentation (or at least another answers post) to refer to with specifics, but the general answer is Slunk will stop its inputs (monitor, splunktcp, script, etc) first, then wait for its queues to empty by being fully processed before stopping splunkd.

I wouldn't consider that "writing its queues to disk", instead it's more "stop adding to the queues and let them clear on their own".

ddrillic · ‎01-01-2018

So, are we losing the data which are in the queues?

micahkemp · ‎01-01-2018

I wouldn’t expect that to happen, no.

The queues should empty prior to splunkd stopping, by way of events making their way through the remaining queues.

micahkemp · ‎01-01-2018

But again, I haven’t been able to find documentation detailing this. But this is what I have witnessed as taking place.

ddrillic · ‎01-01-2018

Fair enough ; - )

Does an indexer write its queues to disk when we shut it down?

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

Observability Highlights | January 2023 Newsletter