How do I edit Universal Forwarder aeq queue size?

martaBenedetti · ‎09-29-2022

Hi Community,

on Universal Forwarder I see these logs:

09-29-2022 12:12:17.410 +0200 INFO  Metrics - group=queue, name=aeq, blocked=true, max_size_kb=500, current_size_kb=499, current_size=61, largest_size=61, smallest_size=18

I know is related to gz files, in fact splunk is monitoring files gz.

In order to increase queue size, I usually push server.conf with new values, like this.

[queue=aeq]
maxSize = 2MB

It seems not working because I keep seeing in logs

Metrics - group=queue, name=aeq, blocked=true, max_size_kb=500

Do you know how can be edited this queue size?

Thanks,

Marta

morawi5 · ‎10-20-2022

Any update on this topic? I also have set mine higher and the max_size_kb remains at 500.

SinghK · ‎09-29-2022

Need more info on that.. inputs.conf from indexer what port is configured etc.

outputs.conf from forwarder

martaBenedetti · ‎10-03-2022

Hi SinghK,

inputs.conf on indexers

[splunktcp-ssl:9997]
queueSize=4MB
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/slave-apps/certs/myserver.pem
requireClientCert = true

outputs.conf on forwarder

[indexAndForward]
index                   = false

[tcpout]
defaultGroup            = my_indexers
forceTimebasedAutoLB    = true
indexAndForward         = false
clientCert              = $SPLUNK_HOME/etc/apps/certs/myserver.pem
useClientSSLCompression = true

[tcpout:my_indexers]
disabled                = false
useACK                  = true
server                  = idx1:9997,id2:9997,id3:9997,id4:9997,id5:9997,id6:9997

How do I edit Universal Forwarder aeq queue size?

universal forwarder

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!