Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Persistent Queue not working for Heavy Forwarder on Splunk Enterprise 6.3.2

xrtan
Explorer
‎02-11-2016 12:18 AM

Hi all,

I am current trying to test persistent queue to see whether it works on heavy forwarder. However, it doesn't seem to be working.

Here is my scenario:
I have syslogs coming in from different devices into my heav yforwarder using both tcp and udp protocol. So what I did was put persistentQueueSize=100MB into my inputs.conf stanza, so right now it looks something like this: 

[udp://514]
index=main
sourcetype = syslog
connection_host = ip
disabled = 0
persistentQueueSize=100MB

[tcp://514]
index=main
sourcetype = syslog
connection_host = ip
disabled = 0
persistentQueueSize=100MB

When I restart the server, I can see the flat file being created at these 2 places respectively

$SPLUNK_HOME/var/run/splunk/tcpin/

$SPLUNK_HOME/var/run/splunk/udpin/

So I went on to shut down my indexers for 5 minutes. After that, I turn it on back. However, during the 5 mins, I did not see any changes to the flat file and when I try to search for data on my search head, logs have be dropped during that 5 mins, so no caching was done.

Am I missing something?

0 Karma
Reply

rschutt
Explorer
‎11-29-2017 06:18 AM

Without the "queueSize" being set to any value, "persistentQueueSize" will not work.

Also be aware that the instance will first fill the memory-queue and if this is exhausted it will write into the persistent queue. So in order to save as much as possible to disk, set the "queueSize" to a minimum.

0 Karma
Reply

xrtan
Explorer
‎04-28-2016 08:19 PM

apparantly it takes some time for the data to roll into flat file as its still writing to memory for some reason

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...