Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

My forwarder's outgoing data rate is lagging. How to resolve this in order for the forwarder to send data continuously?

chintan_shah
Path Finder
‎03-09-2017 09:17 AM

alt text

Forwarder is not sending the data at real-time, it is having some lag as mentioned in the screenshot. Can anyone help me in fixing it?
At 1:10 AM, kbs was nearly 0 whereas the source has some data which is transferred later

Preview file
1 KB
Reply

chintan_shah
Path Finder
‎03-15-2017 09:52 AM

Hi jcrabb,

I tried as mentioned by, to change the maxKBps to 0, but still i have faced the same issue.
alt text

Preview file
1 KB
0 Karma
Reply

jcrabb_splunk
Splunk Employee
Splunk Employee
‎03-16-2017 06:46 AM

Have you looked at the logs on the forwarder? Do you see an issue that stands out? Examples:

  • Problems connecting to Indexer
  • Blocked queues (search metrics.log for "block")
  • Errors like this: INFO TailReader - File descriptor cache is full (100), trimming...

How big is the log you are trying to ingest, does it get quite large over a certain time span? Is the event time and index time showing latency? If you run a search like this, what is the latency like?

index=index_of_relevant_forwarder_data | eval time=_time | eval itime=_indextime | eval latency=(itime - time) | stats count, avg(latency), min(latency), max(latency) by source

There are just quite a number of variables here.

Jacob
Sr. Technical Support Engineer
0 Karma
Reply

chintan_shah
Path Finder
‎03-16-2017 08:57 AM

Hi @Anonymous:

Have you looked at the logs on the forwarder? Do you see an issue that stands out? Examples:

Problems connecting to Indexer
-> I got multiple time out i.e.
03-15-2017 03:54:51.117 -0400 INFO TcpOutputProc - Ping connection to idx=destinationip:port timed out. continuing connections
Do you know how can i resolve this?

Blocked queues (search metrics.log for "block")
-> I didnt receive any events with block in metrics.

Errors like this: INFO TailReader - File descriptor cache is full (100), trimming...
-> i didnt receive any events with the above field.

How big is the log you are trying to ingest, does it get quite large over a certain time span? Is the event time and index time showing latency? If you run a search like this, what is the latency like?

index=index_of_relevant_forwarder_data | eval time=_time | eval itime=_indextime | eval latency=(itime - time) | stats count, avg(latency), min(latency), max(latency) by source
-> I am continuously monitoring the log files which are roll over every day and the logs are really huge.
i used the above query which was really helpful and for a particular source the Max Latency was 9814 which is 2 hours and 43 minute delay.
Can we reduce this latency?

There are just quite a number of variables here.

0 Karma
Reply

jcrabb_splunk
Splunk Employee
Splunk Employee
‎03-09-2017 12:35 PM

One thing I would suggest, if you are trying to ingest/forward a lot of data, is to configure the following in limits.conf:

## limits.conf ##

[thruput]
maxKBps = 0

Spec File: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Bthruput.5D

maxKBps = <integer>
* If specified and not zero, this limits the speed through the thruput processor 
  in the ingestion pipeline to the specified rate in kilobytes per second.
* To control the CPU load while indexing, use this to throttle the number of
  events this indexer processes to the rate (in KBps) you specify.
* Note that this limit will be applied per ingestion pipeline. For more information 
  about multiple ingestion pipelines see parallelIngestionPipelines in the
  server.conf.spec file.
* With N parallel ingestion pipelines the thruput limit across all of the ingestion 
  pipelines will be N * maxKBps.

On a Forwarder, this is configured to the default of 256. This change often elevates the problem you are reporting.

Jacob
Sr. Technical Support Engineer
0 Karma
Reply

chintan_shah
Path Finder
‎03-09-2017 02:20 PM

So i have currently have 512 in maxKBps, so are you suggesting to keep it to 256 or 0?

0 Karma
Reply

jcrabb_splunk
Splunk Employee
Splunk Employee
‎03-09-2017 02:37 PM

I am recommending that it be set to 0:

[thruput]
maxKBps = 0

Jacob
Sr. Technical Support Engineer
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...