Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Marc_Williams
Marc_Williams
Explorer
Member since:
07-07-2021
08-17-2022
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 2 |
| Member Since | 07-07-2021 |
Activity Feed
- Got Karma for Why are we receiving this ingestion latency error after updating to 8.2.1?. 09-19-2022 02:38 AM
- Posted Re: Ingestion Latency after updating to 8.2.1 on Splunk Enterprise. 08-17-2022 08:17 AM
- Posted Re: Ingestion Latency after updating to 8.2.1 on Splunk Enterprise. 07-14-2022 10:33 AM
- Posted Re: Ingestion Latency after updating to 8.2.1 on Splunk Enterprise. 07-13-2022 07:27 AM
- Got Karma for Why are we receiving this ingestion latency error after updating to 8.2.1?. 07-02-2022 07:33 AM
- Posted Re: Ingestion Latency after updating to 8.2.1 on Splunk Enterprise. 10-26-2021 01:22 PM
- Posted Re: Ingestion Latency after updating to 8.2.1 on Splunk Enterprise. 10-26-2021 12:18 PM
- Posted Re: Ingestion Latency after updating to 8.2.1 on Splunk Enterprise. 08-18-2021 06:20 AM
- Posted Why are we receiving this ingestion latency error after updating to 8.2.1? on Splunk Enterprise. 07-07-2021 07:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 2 |
08-17-2022
08:17 AM
So I had a support ticket open and this was the next thing we tried: "I was performing a health check based on the provided diag file and get a warning in regards to File descriptor cache stress. When the Splunk file descriptor cache is full, it will not be able to effectively tail all the files it should, sometimes resulting in missed or late data. In this case an important setting that can be adjusted in limits.conf, I'm speaking about the attribute max_fd under the [inputproc] stanza, you may test to set it as max_fd = 300. Please notice that to set custom configurations, you need to do it on a local directory of limits.conf and you must restart the Splunk instance to enable configuration changes. For more details, please review the following document: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf (https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf)" However that didn't fix the issue and they said we need more CPU/Cores as we are currently running 4 cores (and have been for years with no issues) and that we need to have 12 now after that upgrade (and all other upgrades after). So we are going to get a couple of new CPU's and see if that helps...we will update after we upgrade the sever.
... View more
07-14-2022
10:33 AM
So we have 7 outputs.conf...only 2 have useAck and they are both set to false already. Not all of the output files are the same: Should those copies have that value added?
... View more
07-13-2022
07:27 AM
We are running on a windows platform. We have made no changes to the environment (permission or user). We have upgraded to 9.0 and still have the issue.
... View more
10-26-2021
01:22 PM
So we upgraded to 8.2.2.1 and are still getting the error. However it is a bit different than before. Events from tracker.log have not been seen for the last 1395 seconds, which is more than the red threshold (210 seconds). This typically occurs when indexing or forwarding are falling behind or are blocked.
... View more
10-26-2021
12:18 PM
So we thought we had it resolved. However it is back again. We restart the services and we can watch it go from good to bad. Anyone else had luck finding an answer?
... View more
08-18-2021
06:20 AM
No....I have not found a solution. However it appears to have cleared itself.
... View more
07-07-2021
07:48 AM
2 Karma
So we just updated to 8.2.1 and we are now getting an Ingestion Latency error…
How do we correct it? Here is what the link says and then we have an option to view the last 50 messages...
Ingestion Latency
Root Cause(s):
Events from tracker.log have not been seen for the last 6529 seconds, which is more than the red threshold (210 seconds). This typically occurs when indexing or forwarding are falling behind or are blocked.
Events from tracker.log are delayed for 9658 seconds, which is more than the red threshold (180 seconds). This typically occurs when indexing or forwarding are falling behind or are blocked.
Generate Diag?If filing a support case, click here to generate a diag.
Here are some examples of what is shown as the messages:
07-01-2021 09:28:52.276 -0500 INFO TailingProcessor [66180 MainTailingThread] - Adding watch on path: C:\Program Files\Splunk\var\spool\splunk.
07-01-2021 09:28:52.276 -0500 INFO TailingProcessor [66180 MainTailingThread] - Adding watch on path: C:\Program Files\Splunk\var\run\splunk\search_telemetry.
07-01-2021 09:28:52.276 -0500 INFO TailingProcessor [66180 MainTailingThread] - Adding watch on path: C:\Program Files\Splunk\var\log\watchdog.
07-01-2021 09:28:52.276 -0500 INFO TailingProcessor [66180 MainTailingThread] - Adding watch on path: C:\Program Files\Splunk\var\log\splunk.
07-01-2021 09:28:52.276 -0500 INFO TailingProcessor [66180 MainTailingThread] - Adding watch on path: C:\Program Files\Splunk\var\log\introspection.
07-01-2021 09:28:52.275 -0500 INFO TailingProcessor [66180 MainTailingThread] - Adding watch on path: C:\Program Files\Splunk\etc\splunk.version.
07-01-2021 09:28:52.269 -0500 INFO TailingProcessor [66180 MainTailingThread] - Adding watch on path: C:\Program Files\CrushFTP9\CrushFTP.log.
07-01-2021 09:28:52.268 -0500 INFO TailingProcessor [66180 MainTailingThread] - Parsing configuration stanza: monitor://$SPLUNK_HOME\var\log\watchdog\watchdog.log*.
07-01-2021 09:28:52.267 -0500 INFO TailingProcessor [66180 MainTailingThread] - Parsing configuration stanza: monitor://$SPLUNK_HOME\var\log\splunk\splunk_instrumentation_cloud.log*.
07-01-2021 09:28:52.267 -0500 INFO TailingProcessor [66180 MainTailingThread] - Parsing configuration stanza: monitor://$SPLUNK_HOME\var\log\splunk\license_usage_summary.log.
07-01-2021 09:28:52.267 -0500 INFO TailingProcessor [66180 MainTailingThread] - Parsing configuration stanza: monitor://$SPLUNK_HOME\var\log\splunk.
07-01-2021 09:28:52.267 -0500 INFO TailingProcessor [66180 MainTailingThread] - Parsing configuration stanza: monitor://$SPLUNK_HOME\var\log\introspection.
07-01-2021 09:28:52.267 -0500 INFO TailingProcessor [66180 MainTailingThread] - Parsing configuration stanza: monitor://$SPLUNK_HOME\etc\splunk.version.
07-01-2021 09:28:52.267 -0500 INFO TailingProcessor [66180 MainTailingThread] - Parsing configuration stanza: batch://$SPLUNK_HOME\var\spool\splunk\tracker.log*.
07-01-2021 09:28:52.266 -0500 INFO TailingProcessor [66180 MainTailingThread] - Parsing configuration stanza: batch://$SPLUNK_HOME\var\spool\splunk\...stash_new.
07-01-2021 09:28:52.266 -0500 INFO TailingProcessor [66180 MainTailingThread] - Parsing configuration stanza: batch://$SPLUNK_HOME\var\spool\splunk\...stash_hec.
07-01-2021 09:28:52.266 -0500 INFO TailingProcessor [66180 MainTailingThread] - Parsing configuration stanza: batch://$SPLUNK_HOME\var\spool\splunk.
07-01-2021 09:28:52.265 -0500 INFO TailingProcessor [66180 MainTailingThread] - Parsing configuration stanza: batch://$SPLUNK_HOME\var\run\splunk\search_telemetry\*search_telemetry.json.
07-01-2021 09:28:52.265 -0500 INFO TailingProcessor [66180 MainTailingThread] - TailWatcher initializing...
... View more
Labels
- Labels:
-
troubleshooting
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-17-2022
11:38 AM
|
