Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

The monitor input cannot produce data because splunkd's processing queues are full. This will be caused by inadequate in

imam99
Loves-to-Learn Lots
‎03-24-2021 12:49 AM

The monitor input cannot produce data because splunkd's processing queues are full. This will be caused by inadequate indexing or forwarding rate, or a sudden burst of incoming data.

imam99_0-1616572053724.png

 

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-24-2021 01:16 AM

HI @imam99,

there could be many reasons for your problem, the most likely are insuffient resources especially CPUs and too low performances of your disks:

for the first one, you have to performa a Capacity Plan to understand if the number of CPUs that you have is sufficient to manage the ingestion and search load, how many CPUs, GB/day have you, users and scheduled searches have you? have ES or ITSI?

For the second one, Splunk requires at least 800 IOPS (better 1200) for the storage of Hot and Warm Buckets, how many IOPS has your storage? you can test it using tools as bonnie++.

Anyway, after the above checks (because they will ask you them), I hint to open a case to Splunk Support because maybe there could be some other problem, e.g. I had the same problem caused by syslog sending to third party.

Ciao.

Giuseppe

0 Karma
Reply

imam99
Loves-to-Learn Lots
‎03-24-2021 01:34 AM

thank you for your feedback, I'm agree with you, that it seems my server resources is not enough, coz during this happen I found cpu consumption more that 100% (using top command), but now cpu usage has been normal condition, but doesn't know why Splunk didn't released the queue and till now the error message still happen

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-24-2021 01:41 AM

Hi @imam99,

as I said i encountered a similar problem because also my queues didn't empty after the block.

For this reason I hinted to open a Case To Splunk, to understand if it's possible to do something.

In my Use Case they hinted to use the parallel pipeline and surely helps you if you have sufficient CPUs, but it depends on your resources and it's a delicate tuning.

Did you  perform a Capacity Planning?

The questions are

  • How many CPUs (totally in all your indexers),
  • how many GB/day,
  • how many GB in the peak hour,
  • how manu users,
  • how many scheduled searches,
  • are there ES or ITSI.

Ciao.

Giuseppe

0 Karma
Reply

imam99
Loves-to-Learn Lots
‎04-08-2021 11:36 PM

thank you for your answer but ,at this time all input data has stopped, we already stopped all the incoming logs, then just said it was checked, the write disk iops was 50 Mbps, the current CPU and memory positions have dropped. But indexQueue is still full.

 

imam99_0-1617950189585.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-09-2021 01:59 AM

Hi @imam99,

you if you restart the Indexers the queues will be empty and indexing will restart, but it doesn't resolve the problem.

But anyway, open a case to Splunk Support at P1 level (blocked system) they usually answers in 30-60 minutes.

Ciao.

Giuseppe

0 Karma
Reply

imam99
Loves-to-Learn Lots
‎04-09-2021 02:26 AM

Hi Ciao

thx , i will try you're suggestion

 

Imam Mustakim

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-24-2021 01:08 AM

Is there a question here?

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...