Oh.. Okay. But won't queue get filled up if the incoming rate is more than indexing rate?

I am sharing the screenshot of the search query and health error also. Let me know if you have any more queries.

Error: https://ibb.co/ZmNtRX7
Search query: https://ibb.co/wW6dZB5

In an ideal world all the queues should be at 0% - if any of them are more than a few % it indicates problems.

Because its the early queues that are full, it suggests the bottleneck is not with the actual indexing/writing to disk.

Okay. But in what scenarios can the initial queues be full and indexing queues empty?

for the reasons i mentioned above - probably timestamp extraction, or line breaking.

Have you checked in your internal logs?

I think you are right. I checked splunkd.logs.
It is scattered with messages "WARN AggregatorMiningProcessor - Breaking event because limit of 256 has been exceeded". Found a possible reason here: https://answers.splunk.com/answers/141721/error-in-splunkd-log-breaking-event-because-limit-of-256-h....

Correct me if I am wrong here. I think the data itself causing the issue. The parser is spending too much time breaking the event that it is not able to send data to the indexing queues and also leading to the parsing queues being filled up.

As suggested in one of the comments in the above link, will changing the MAX_EVENTS=10000 resolve the issue?

Exactly the cause, but changing the limits will make your problem even worse!
Don't do this!

You need to fix the breaking issue by applying the correct settings in props.conf for your log format.

Also from the logs, it seems like those warnings crops up only for .gz files. What I think is that Splunk is not decompressing it and taking the compressed content as one single event. But shouldn't Splunk take care of uncompressing the data before indexing it? Do I need to specify in the data input type as well? But the input data is a mixture of compressed logs and text log files.