cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
ayeheyis
Explorer
Member since: ‎02-01-2022
‎02-02-2022
Community Statistics
Posts 3
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎02-01-2022
Activity Feed
View All

Re: Splunk Indexer Parsing Queue Blocking

by in Getting Data In
‎02-02-2022 10:35 AM
‎02-02-2022 10:35 AM
Just to close the loop on this, as I was going thru the logs I noticed the app I recently installed was still enabled even tho I could've sworn I disabled it. I disabled the app and restarted using the web interface. Not sure if that matters but when I did it thru the CLI, everything seems to be working again. Thanks for all your help! ... View more

Re: Splunk Indexer Parsing Queue Blocking

by in Getting Data In
‎02-02-2022 05:45 AM
‎02-02-2022 05:45 AM
Thanks for the response. Do you know which properties I should set? I went thru the limits.conf documentation and I couldn't figure which properties relate to the queue sizes. Also I'm not able to see any logs for the index _internal. I'm assuming it's caused by the blockage in the data pipeline.  ... View more

Splunk Indexer Parsing Queue Blocking

by in Getting Data In
‎02-01-2022 06:48 PM
‎02-01-2022 06:48 PM
Hello, I just recently restarted my splunk enterprise instance in order to add an app and once it was back up, i noticed that one of the health checks was failing.  Also no new logs were showing up in the search.  I looked at the monitoring console and noticed the parsing queue was full. I also checked the metrics.log and saw some of the queues were full. If I'm understanding the data pipeline hierarchy correctly, it's the parsing queue that's actually blocked and causing the other queues to be blocked.  I also checked the splunkd.log and didn't really anything that seemed related. There were some SSL errors which didn't seem related. And this other error:   ERROR HttpInputDataHandler - Failed processing http input, token name=kube, channel=n/a, source_IP=172.17.8.66, reply=9, events_processed=4, http_input_body_size=7256, parsing_err="Server is busy"   but that seems to be a result of the full queue.  I looked into my resource usage from the monitoring console and top tool and neither cpu or mem go higher than 50% utilization. I also restarted splunk multiple times but the queue always goes to 100% instantly. I did notice a warning on startup: Bad regex value: '(::)?...', of param: props.conf / [(::)?...]; why: this regex is likely to apply to all data and may break summary indexing, among other Splunk features. However, I didn't make any changes to props.conf and everything was working before I restarted the first time so I assume this is not related. Not sure what else to try. Any help would be greatly appreciated! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎02-02-2022 01:57 PM
Karma given to
View All