Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Troubleshooting Splunk Queues (Typing Queue)

mbrunetto
Path Finder
‎01-31-2013 01:45 PM

My Typing Queue is currently blocking and causing backups. I believe I have the order right
udpin/splunktcpin, parsing, and agg queues are all backed up. Indexing queue has some localized spikes, but is mostly at 0. This should indicate a delay in the Typing Pipeline. My data comes in waves with the workday, and the queues max during the workday, and clear out overnight.

Where would I go next to try and clear these queues out? What are my troubleshooting steps? It looks like this pipeline is trying to do regex's and punctuation; but how do I see what part of the pipeline is holding up the queue? I'd like to find out if it's something that I've put in, and if so, which thing to remove.

Since the index seems unblocked, I don't think this has anything to do with my disk speed. My CPUs (8) are busy, but not overworked, and I have plenty of free memory. I run a single box doing indexer/search on 10G of data/day.

Reply

phoffman_splunk
Splunk Employee
Splunk Employee
‎01-26-2015 08:24 AM

1st easiest thing to start with is to download and install the S.o.S app (app link here) If you install this on your search head, remember to deploy the TA (Links here on the documentation tab) to your indexer(s).

In the S.o.S. app, check out the "Estimated percentage of total CPU used per Splunk processor" panel under the "Indexing Performance" dashboard. This will let you view where most of your CPU processing time is going. most typically it is a bad regex.

Then it is a matter of finding the bad regex that was put in place, through exploring your transorms.conf settings through the S.o.S. "Configuration File Viewer" view.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...