Hi,

I am runing Splunk Stream to collect DNS data from Domain Controllers. On some of the busy DCs the Splunk_TA_stream is generating lots of the following errors:

ERROR [9412] (SplunkSenderModularInput.cpp:435) stream.SplunkSenderModularInput - Event queue overflow; dropping 10001 events

Looking at the Splunk Stream Admin-Network Metrics dashboard these seem to occur at the same the Active Network Flows seem to be hitting a limit:

I would like to increase the number of network flows allowed in an attempt to stop the event queue overflows. Looking at the documentation I can see 2 configurations that seem relevant:

maxTcpSessionCount = <integer>
* Defines maximum number of concurrent TCP/UDP flows per processing thread.

processingThreads = <integer>
* Defines number of threads to use for processing network traffic.

Questions:

1) What is the default for maxTcpSessionCount and processingThreads?

2) Would parameter would it be better to increase?

Also are these the correct parameters to be looking to tune with the errors I am getting. If not what should I look at?