Getting Data In

How to troubleshoot why universal forwarders are reporting "Could not send data to output queue (parsingQueue), retrying..."?

prakash007
Builder

I'm getting this message below on Universal Forwarders' splunkd.log...

INFO  BatchReader - Could not send data to output queue (parsingQueue), retrying...
INFO  TailingProcessor - Could not send data to output queue (parsingQueue), retrying...
INFO  TailReader - Could not send data to output queue (parsingQueue), retrying...

I did follow this step below...

  1. grep "*blocked=true*" /opt/app/splunkforwarder/var/log/splunk/metrics.log* I don't see any blocked queues
  2. I did add limits.conf in /opt/apps/splunkforwarder/etc/system/local [thruput] maxKBps = 0

Still I see the message:

Could not send data to output queue (parsingQueue), retrying...

What are the next options I need to look to resolve this..??

0 Karma

muebel
SplunkTrust
SplunkTrust

Hi mcnamara, The next options will be to verify that the forwarder has connectivity to the upstream tcpout host. This can be done by using telnet or openssl commands

openssl s_client -connect <upstreamhost>:<port>

Additionally, look at other universal forwarder installations and determine if they are able to connect. If they can, then that means that you have a problem with the one particular host in question. Otherwise there is an issue with the overall outputs.conf configuration, or a networking issue (simply no route to upstream splunk instance).

Please let me know if this helps!

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The message itself says "outputqueue on forwarder is full", but that's usually just a symptom. The cause usually is no connectivity to the indexing tier, or full queues on the indexing tier, or some other indexing blockage.

0 Karma

prakash007
Builder

Hi muebel, I did try your command and it says connected

$ openssl s_client -connect apwebsvr:9997
CONNECTED(00000003)
3648:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

Here's our data flow... UF------->HF-------->Splunkcloud, i did telnet and openssl from UF to HF which is connecting.

I don't see this message (Could not send data to output queue (parsingQueue), retrying..) when i restart the splunk instance on UF, but it's been happening every now and then.

Based on the message in the log, is parsingQueue gets filled up on UF or HF or Indexer...? just trying to understand to get a permanent solution. Thanks..!!

0 Karma

somesoni2
Revered Legend

Is your forwarder able to connect to Indexer? Check the firewall rules etc..

0 Karma

prakash007
Builder

Yes it is connecting, i did $telnet servername port#

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...