Getting Data In
Highlighted

The aggqueue and parsingqueue consistently full / blocked - how do I increase ?

Explorer

Search is index="_internal" source="*metrics.log" group="queue" | timechart perc90(current_size) by name

Results are:

group=queue, name=parsingqueue, blocked!!=true, max_size=1000, filled_count=15, empty_count=0, current_size=1000, largest_size=1000, smallest_size=996

group=queue, name=aggqueue, blocked!!=true, max_size=1000, filled_count=31, empty_count=0, current_size=1000, largest_size=1000, smallest_size=930

Tags (2)
Highlighted

Re: The aggqueue and parsingqueue consistently full / blocked - how do I increase ?

Splunk Employee
Splunk Employee

Are you actually experiencing problems with indexing throughput?

Increasing the length of the queue will probably not help. A constantly filled queue indicates that the processing that takes place on it is unable to keep up with the incoming work. Increasing the queue may give you a little room if this happens because your data comes in small bursts. If you are not experiencing indexing throughput problems, there's nothing you need to do.

If you are experiencing indexing throughput problems, there are a few options. Among them:

  • Add another indexer
  • Optimize any index-time props and transforms rules on your data, or remove unnecessary ones. These include:
    • Timestamp extraction. If you can specify explicit timestams formats, those are than having Splunk guess
    • Line merging rules. If your data is always single line, you can set SHOULD_LINEMERGE = false. You can also consider using custom LINE_BREAKER settings instead of line merging rules for multi-line data.
    • Number and efficiency of any regexes used in TRANSFORMS and SEDCMD rules

View solution in original post

Highlighted

Re: The aggqueue and parsingqueue consistently full / blocked - how do I increase ?

Explorer

Indexing is very slow - added 250 mb to indices - helped some - going to the customized time stamping formats next due to mixed windows, sourcefire, and cisco data - everything is single line coming from snare and syslog so will turn on Should_linemerge = false - regexes are spot on .. and only as long as I need to pull fields from .. thanks for the help will check back. - What is the pulldown value all about - noticed it in the props.conf in default - should it be added to the local props.conf ?

0 Karma
Highlighted

Re: The aggqueue and parsingqueue consistently full / blocked - how do I increase ?

Splunk Employee
Splunk Employee

you can ignore pulldown. It just controls whether the sourcetype appears in the GUI list. the other problem may just be that you need a faster machine or faster disk.

0 Karma