Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to troubleshoot why universal forwarders are reporting "Could not send data to output queue (parsingQueue), retrying..."?

prakash007
Builder
‎04-14-2016 07:41 AM

I'm getting this message below on Universal Forwarders' splunkd.log...

INFO  BatchReader - Could not send data to output queue (parsingQueue), retrying...
INFO  TailingProcessor - Could not send data to output queue (parsingQueue), retrying...
INFO  TailReader - Could not send data to output queue (parsingQueue), retrying...

I did follow this step below...

  1. grep "*blocked=true*" /opt/app/splunkforwarder/var/log/splunk/metrics.log* I don't see any blocked queues
  2. I did add limits.conf in /opt/apps/splunkforwarder/etc/system/local [thruput] maxKBps = 0

Still I see the message: 

Could not send data to output queue (parsingQueue), retrying...

What are the next options I need to look to resolve this..??

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎04-14-2016 07:48 AM

Hi mcnamara, The next options will be to verify that the forwarder has connectivity to the upstream tcpout host. This can be done by using telnet or openssl commands

openssl s_client -connect <upstreamhost>:<port>

Additionally, look at other universal forwarder installations and determine if they are able to connect. If they can, then that means that you have a problem with the one particular host in question. Otherwise there is an issue with the overall outputs.conf configuration, or a networking issue (simply no route to upstream splunk instance).

Please let me know if this helps!

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-14-2016 03:22 PM

The message itself says "outputqueue on forwarder is full", but that's usually just a symptom. The cause usually is no connectivity to the indexing tier, or full queues on the indexing tier, or some other indexing blockage.

0 Karma
Reply

prakash007
Builder
‎04-14-2016 08:29 AM

Hi muebel, I did try your command and it says connected

$ openssl s_client -connect apwebsvr:9997
CONNECTED(00000003)
3648:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

Here's our data flow... UF------->HF-------->Splunkcloud, i did telnet and openssl from UF to HF which is connecting.

I don't see this message (Could not send data to output queue (parsingQueue), retrying..) when i restart the splunk instance on UF, but it's been happening every now and then.

Based on the message in the log, is parsingQueue gets filled up on UF or HF or Indexer...? just trying to understand to get a permanent solution. Thanks..!!

0 Karma
Reply

somesoni2
Revered Legend
‎04-14-2016 07:46 AM

Is your forwarder able to connect to Indexer? Check the firewall rules etc..

0 Karma
Reply

prakash007
Builder
‎04-14-2016 08:12 AM

Yes it is connecting, i did $telnet servername port#

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...