Why is there a slowness in the restart of Spunk co...

vinod50rao · ‎05-18-2017

Hi Team,

I'm seeing slowness in the restart of Splunk components. All my Forwarders, indexers and search heads are on Linux OS. I'm making Forwarders first down than indexers and in last search heads,

We are seeing restart latency with Forwarders, in the meantime i'm directly shutting down the machine not stopping any service first. will that make change. Please provide your expert comments.

Thanks!
Vinod Yadav.

esix_splunk · ‎05-19-2017

Depending on what the forwarder is doing, it can take some time to stop/restart. This is typically due to currently active file monitors and modular inputs running. The forwarder will try and clear the queues before it restarts, meaning it will try and wait till and EOF / end of event before stopping the splunkd process. Similar is true on indexers, they will try and wait till search jobs have completed and indexing queues have emptied.

adonio · ‎05-18-2017

can you elaborate?
what is the reason for frequent restarts? can you see the console while restarting? any messages during restart?
how do you measure the slowness? how long does a forwarder restart takes? indexer? search head?

Why is there a slowness in the restart of Spunk components?

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7