Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How do I edit Universal Forwarder aeq queue size?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I edit Universal Forwarder aeq queue size?
martaBenedetti
Path Finder
09-29-2022
03:18 AM
Hi Community,
on Universal Forwarder I see these logs:
09-29-2022 12:12:17.410 +0200 INFO Metrics - group=queue, name=aeq, blocked=true, max_size_kb=500, current_size_kb=499, current_size=61, largest_size=61, smallest_size=18
I know is related to gz files, in fact splunk is monitoring files gz.
In order to increase queue size, I usually push server.conf with new values, like this.
[queue=aeq]
maxSize = 2MB
It seems not working because I keep seeing in logs
Metrics - group=queue, name=aeq, blocked=true, max_size_kb=500
Do you know how can be edited this queue size?
Thanks,
Marta
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
morawi5
Explorer
10-20-2022
07:42 AM
Any update on this topic? I also have set mine higher and the max_size_kb remains at 500.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SinghK
Builder
09-29-2022
03:32 AM
Need more info on that.. inputs.conf from indexer what port is configured etc.
outputs.conf from forwarder
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
martaBenedetti
Path Finder
10-03-2022
12:11 AM
Hi SinghK,
inputs.conf on indexers
[splunktcp-ssl:9997]
queueSize=4MB
disabled = 0
[SSL]
serverCert = $SPLUNK_HOME/etc/slave-apps/certs/myserver.pem
requireClientCert = true
outputs.conf on forwarder
[indexAndForward]
index = false
[tcpout]
defaultGroup = my_indexers
forceTimebasedAutoLB = true
indexAndForward = false
clientCert = $SPLUNK_HOME/etc/apps/certs/myserver.pem
useClientSSLCompression = true
[tcpout:my_indexers]
disabled = false
useACK = true
server = idx1:9997,id2:9997,id3:9997,id4:9997,id5:9997,id6:9997
Get Updates on the Splunk Community!
Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...
If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...
Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions
Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...
