Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Parsing queue and Aggregation queue sizes on heavy forwarders?

jihape
Path Finder
‎02-28-2018 04:15 PM

We are seeing the aggregation and parsing queues almost constantly flatlining at a 100% on our HFs. On our indexers the queues are at 0% pretty much all the time, with the occasional spike to 20%.

Would increasing the [queue=parsingQueue] and [queue=aggQueue] in system/local/server.conf help lowering the queue fill ratio? The current settings are the default 6MB for Parsing and 1MB for aggregation.

There are only 250 UFs connected to the HF, but that is expected to increase dramatically.

If increasing the queue size works, by how much should I increase it? Is there a rule of thumb that I haven't seen?

Tags (1)
0 Karma
Reply

sohaib112
Explorer
‎01-20-2023 08:00 AM

Facing this same issue with few servers.
@jihape Have you found the solution of it? How did you fix it?

I have just added the this setting `parallelIngestionPipelines=2` and increased the parsingqueue on HF from 1024MB to 2048MB. Would this solve the issue? 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-20-2023 01:48 PM

Hi

how many HFs you have vs indexers? I have seen a rule of thumb that you should have (min) 7 hf pipeline per one IDX pipeline to get this working smoothly.

r. Ismo

0 Karma
Reply

justynap_ldz
Path Finder
‎07-06-2022 08:23 AM

Hi @jihape,  have you solved this issue? We are facing the same problem...

0 Karma
Reply

nareshinsvu
Builder
‎08-25-2019 06:16 PM

@jihape - Was your issue resolved? I am in the same boat looking for a safe shore.

0 Karma
Reply

HiroshiSatoh
Champion
‎02-28-2018 07:17 PM

The load on the indexer is low and the queue is formed on the HF side is a problem in the processing on the HF side.
Increasing the size of the queue does not solve the problem. Please first check high load processing.
For example, the transfer rate (maxKBps) may be low.Also, if the parsing process is slow, it is also possible to increase the pipeline.

0 Karma
Reply

jihape
Path Finder
‎02-28-2018 07:56 PM

Thanks, I couldn't identify any issues with the server:
1. It was not a CPU issue - max CPU was only 50%
2. transfer rate in limits.conf is set to 0
3. Is it this settings you are talking about when saying 'increase the pipeline'? http://docs.splunk.com/Documentation/Splunk/7.0.2/Capacity/Parallelization#Index_parallelization

0 Karma
Reply

HiroshiSatoh
Champion
‎02-28-2018 09:13 PM

Yes. The pipeline is that. Processes can be parallelized. But up to two. More than (3 or more require PS.

Can you investigate high load queues?
setting>monitoring console>Indexing>Indexing Performance: Instance

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...