Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Management Console - Indexing Performance shows Queue Fill Ratio's are at 100% (almost)

jagadeeshm
Contributor
‎03-13-2017 05:52 PM

We have a multi-site cluster and I started noticing in DMC that some of the Queue Fill Ratio's are almost at 100%. What does that mean?

Here is a snapshot from 5 mins ago -

alt text

Each row here indicates an indexer (hidden for privacy). And I am noticing that the indexer keeps changing and one or the other is at near 100%.

We are using HTTP Event Collector to post data into Splunk and we are seeing "Server is busy" error while posting the events.

Please advice.

Preview file
73 KB
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎03-13-2017 09:32 PM

How many indexers are in your cluster?
What are your indexer specs (cores, memory)?
What are you using for HOT/WARM storage (kinds and number of disks, RAID level, size)?
What is your daily indexing volume?
Are you sending directly to the HTTP event collector (HEC) input on the indexers via a load balancer or do you have a Heavy Forwarder as the HEC endpoint?

Generally speaking, this is an indication that you are trying to process more load on an indexer than it can handle as indicated by your indexing queue backing up.

Any data coming into an indexer gets processed via multiple pipelines (containing one or more processors). Each of these pipelines has an input and output queue and does a specific task:

  • parsing pipeline/queue: UTF-8 conversion, line breaking, header extraction
  • merging pipeline/agg queue: line merging (multi-line events)
  • typing pipeline/queue: RegEx replacements, annotation (punct field)
  • indexing pipeline/queue: license metering, writing to disk (or syslog/TCP out [rarely])

If one of the pipelines can't keep up, it's input queue will grow as new data comes in. This effect "bubbles up" the pipeline chain, ultimately all the way back to the forwarder's output queue.

Since HEC is served via HTTP POST, there is no output queue on the sender side and the sender will get a "server busy" response if the receiver cannot accept new data.

My best guess is that you will need to add additional indexers to handle the ingest load you are trying to process.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...