Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Troubleshooting Splunk Queues (Typing Queue)

mbrunetto
Path Finder
‎01-31-2013 01:45 PM

My Typing Queue is currently blocking and causing backups. I believe I have the order right
udpin/splunktcpin, parsing, and agg queues are all backed up. Indexing queue has some localized spikes, but is mostly at 0. This should indicate a delay in the Typing Pipeline. My data comes in waves with the workday, and the queues max during the workday, and clear out overnight.

Where would I go next to try and clear these queues out? What are my troubleshooting steps? It looks like this pipeline is trying to do regex's and punctuation; but how do I see what part of the pipeline is holding up the queue? I'd like to find out if it's something that I've put in, and if so, which thing to remove.

Since the index seems unblocked, I don't think this has anything to do with my disk speed. My CPUs (8) are busy, but not overworked, and I have plenty of free memory. I run a single box doing indexer/search on 10G of data/day.

Reply

phoffman_splunk
Splunk Employee
Splunk Employee
‎01-26-2015 08:24 AM

1st easiest thing to start with is to download and install the S.o.S app (app link here) If you install this on your search head, remember to deploy the TA (Links here on the documentation tab) to your indexer(s).

In the S.o.S. app, check out the "Estimated percentage of total CPU used per Splunk processor" panel under the "Indexing Performance" dashboard. This will let you view where most of your CPU processing time is going. most typically it is a bad regex.

Then it is a matter of finding the bad regex that was put in place, through exploring your transorms.conf settings through the S.o.S. "Configuration File Viewer" view.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...