Solved: Why is there Forwarder Ingestion Latency Error?

nz_021 · ‎07-25-2023

I have splunk instance with 9.0.3 version and my splunk keeps throwing error in Forwarder Ingestion Latency with Root Cause " Ingestion_latency_gap_multiplier' indicator exceeds configured value. Observed value is 2587595". does anyone know how to solve this problem?

nz_021 · ‎08-07-2023

Halo,

i've solve this issue, the main problem is with UF in my agent. I just need to delete and reinstall the UF and the error is gone.

View solution in original post

nz_021 · ‎08-07-2023

Halo,

i've solve this issue, the main problem is with UF in my agent. I just need to delete and reinstall the UF and the error is gone.

PickleRick · ‎07-25-2023

1. Verify if you do have the latency problem. Check your data coming from the given forwarder and check if it does indeed show delay in indexing.

2. It seems that it's sometimes a case of the forwarder not handling properly the $SPLUNK_HOME/var/spool/splunk/tracker.log* (based on which the alert is generated) and old values are not removed from the file but instead are reingested as the new values are appended to it. Try stopping the forwarder, removing the tracker.log file and restarting the forwarder.

Why is there Forwarder Ingestion Latency Error?

troubleshooting

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!