Getting Data In

How Indexers behave when it comes into detention state ?

tsawa_splunk
Splunk Employee
Splunk Employee

I understand Splunk provides multiple means to control the disk size for indexing, and I want to understand better around minFreeSpace option which is specified in server.conf.

If the actual usage of the filesystem exceeds the threshold specified by minFreeSpace, how will the data which was seized from being indexed be handled after the disk space gets freed ? As long as the ack on Forwarder is enabled, will the data again be collected and indexed, or will it be just lost ?

I assume the result may be varied across types of input, forwarder, tcp/udp, HEC, etc ...
Any detailed answer would be highly appreciated.

0 Karma
1 Solution

FrankVl
Ultra Champion

If an indexer goes into detention, it will stop accepting new data on its inputs. If you have multiple indexers and you've set up your forwarders to load balance across your indexers, they will simply divert to the other indexers. If you have only a single indexer, then queues will start filling up on your forwarders and once those are full, their inputs will also block. In some cases your data sources may cache and resend once the blockage is over, but in many cases data will start to get lost (especially with 'unreliable' transport methods like UDP).

View solution in original post

FrankVl
Ultra Champion

If an indexer goes into detention, it will stop accepting new data on its inputs. If you have multiple indexers and you've set up your forwarders to load balance across your indexers, they will simply divert to the other indexers. If you have only a single indexer, then queues will start filling up on your forwarders and once those are full, their inputs will also block. In some cases your data sources may cache and resend once the blockage is over, but in many cases data will start to get lost (especially with 'unreliable' transport methods like UDP).

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...