How to solve the problem related to indexing after...

jjeongeunida · ‎12-22-2022

I received red alarms from health status.
The types of alarm vary over time.
but the warnings that continuously occur are Ingestion Latency, IOWait, Searches Delayed, etc.

And the Detail message displays 'Splunkd's processing queue is full.'
Is there any way to check which process is in the queue?
OR is there a way to flush the queue?

I increased CPU and memory, but the problem was not solved.
And I recently upgraded the Splunk version from 8.1.4 to 9.0.2.

Thank you.

PickleRick · ‎12-25-2022

Ingestion latency might be a "feature" of your setup in certain cases (like big periodically created - for example, rsynced from remote location - files and low thruput limit).

IOwait is, as @richgalloway said, a known false positive.

Searches delayed is typically an issue with your workload and/or definition of your searching schedules.

Apart from IOwait they should not be connected with your upgrade.

richgalloway · ‎12-24-2022

The IOWait warning is a known false positive. You can adjust it to turn red with a higher IOWait value.

The Monitoring Console will display the indexer queues at Indexing->Performance->Indexing Performance: Instance

---
If this reply helps you, Karma would be appreciated.

How to solve the problem related to indexing after version upgrade

administration

troubleshooting

upgrade

using Splunk Enterprise

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?