Splunk Enterprise

Splunk Stream: Dropping DNS events

a_kearney
Path Finder

Hi,

I am runing Splunk Stream to collect DNS data from Domain Controllers. On some of the busy DCs the Splunk_TA_stream is generating lots of the following errors:

 

 

ERROR [9412] (SplunkSenderModularInput.cpp:435) stream.SplunkSenderModularInput - Event queue overflow; dropping 10001 events

 

 

Looking at the Splunk Stream Admin-Network Metrics dashboard these seem to occur at the same the Active Network Flows seem to be hitting a limit:

a_kearney_0-1701269442811.png

I would like to increase the number of network flows allowed in an attempt to stop the event queue overflows. Looking at the documentation I can see 2 configurations that seem relevant:

maxTcpSessionCount = <integer>
* Defines maximum number of concurrent TCP/UDP flows per processing thread.
processingThreads = <integer>
* Defines number of threads to use for processing network traffic.

Questions:

1) What is the default for maxTcpSessionCount and processingThreads?

2) Would parameter would it be better to increase?

Also are these the correct parameters to be looking to tune with the errors I am getting. If not what should I look at?

Labels (1)
Tags (3)
0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...