Splunk Enterprise

Splunk Stream: Dropping DNS events

Path Finder


I am runing Splunk Stream to collect DNS data from Domain Controllers. On some of the busy DCs the Splunk_TA_stream is generating lots of the following errors:



ERROR [9412] (SplunkSenderModularInput.cpp:435) stream.SplunkSenderModularInput - Event queue overflow; dropping 10001 events



Looking at the Splunk Stream Admin-Network Metrics dashboard these seem to occur at the same the Active Network Flows seem to be hitting a limit:


I would like to increase the number of network flows allowed in an attempt to stop the event queue overflows. Looking at the documentation I can see 2 configurations that seem relevant:

maxTcpSessionCount = <integer>
* Defines maximum number of concurrent TCP/UDP flows per processing thread.
processingThreads = <integer>
* Defines number of threads to use for processing network traffic.


1) What is the default for maxTcpSessionCount and processingThreads?

2) Would parameter would it be better to increase?

Also are these the correct parameters to be looking to tune with the errors I am getting. If not what should I look at?

Labels (1)
Tags (3)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...