Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Saturated Event-Processing Queues

msplunk33
Path Finder
‎10-20-2020 05:59 PM

I am getting this error frequently and I can see the index queue is 99% for many indexers in the cluster. I am not able to figure out what is causing this issue. During this period indexing is considerable slow and logs are not ingesting for many source type. I am not able to figure out what is causing this issue(which source). After sometime it go back to normal. I am worried this can case issue in the future.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-22-2020 06:49 AM

In the MC, select Indexing->Indexing Performance: Instance.  Then scroll down to the "Estimated Indexing Rate Per Sourcetype" panel.  Use the dropdown menu to split the graph by various attributes until you find the source of the problem.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-21-2020 06:25 AM

A full queue is caused by a slow-down after the queue or a sudden increase before the queue.

Check your storage system to make sure there is nothing that is causing the I/O rate to drop significantly, like an AV scan.  Splunk should not be sharing storage with other high-I/O applications like a DB.

A periodic surge in incoming data can also lead to backed-up queues.  Use the monitoring console to see what sources contributed a lot of data during the period of the slowdown.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

msplunk33
Path Finder
‎10-21-2020 04:46 PM

@richgalloway 

 

Use the monitoring console to see what sources contributed a lot of data during the period of the slowdown.

 

I could not find the above option in the monitoring console. Could you give me the menu details  from the monitoring console or a scereenshot.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...