Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Parsing Queue blocked on Heavy Forwarder

omuelle1
Communicator
‎03-12-2020 06:17 AM

Hey guys,

I got some question regarding parsing queue issues I have been observing on our Heavy Forwarders. I am currently seeing between 500 and 1000 blocked events on each heavy forwarder daily when running:

index=_internal host=HF blocked=true

The total ratio of blocked events seems to be about 10% and they mostly all seem to appear in the aggqueue:

alt text

My main question is if this is reason for concern or what the impact on my current Splunk environment would be. Also why would all this blocking be in mainly one queue ?

Thank you,

Oliver

Preview file
32 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

codebuilder
Influencer
‎03-16-2020 03:39 PM

This generally indicates that you have not adjusted the thruput setting on your HF from the default of 256kbs.
My suggestion is to change/add the value in limits.conf to maxKBps=0, or a number greater than the default that you think your network can support. The forwarder is being throttled and cannot keep up with the data it's trying to send to the indexers.

[thruput]
maxKBps = (0 = unlimited)

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf

----
An upvote would be appreciated and Accept Solution if it helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

codebuilder
Influencer
‎03-16-2020 03:39 PM

This generally indicates that you have not adjusted the thruput setting on your HF from the default of 256kbs.
My suggestion is to change/add the value in limits.conf to maxKBps=0, or a number greater than the default that you think your network can support. The forwarder is being throttled and cannot keep up with the data it's trying to send to the indexers.

[thruput]
maxKBps = (0 = unlimited)

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Solved! Jump to solution

anmolpatel
Builder
‎03-15-2020 04:37 PM

The issue appears to be at the aggQueue based on the screenshot.
So check if the props.conf is configured correctly for the sourcetypes.
Things you want to check:
- Should_Linemerge
- Max_events
- Time_prefix
- Time_format
- Datetime_config
- Max_Days_Ago

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...