×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
jangusprangus
Engager
Member since: ‎03-24-2022
‎03-29-2022
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎03-24-2022
View All

Re: Why shouldn't dropEventsOnQueueFull config be ...

by in Splunk Enterprise
‎03-29-2022 05:59 PM
‎03-29-2022 05:59 PM
Hey @PickleRick , Thank you for your answer, it was incredibly helpful. What I've done is added dropEventsOnQueueFull (300s) to the second tcpout group only, plus increased the maxqueuesize to 50mb. We're going to see how this goes for our environment. The idea behind setting it to 300s is so that we give our second tcpgroup a chance recover if it's only a minor blip. I hope that my understanding is correct there! Thanks again for your answer. ... View more

Why shouldn't dropEventsOnQueueFull config be used...

by in Splunk Enterprise
‎03-24-2022 07:07 PM
‎03-24-2022 07:07 PM
In our outputs.conf for our splunk forwarders we have two tcpout target groups ([tcpout:<target_group>]) . Both tcpout groups have multiple servers/are autolb'd. Our second tcpout group (remote splunk instance) became unavailable due to a network issue, which caused all of our splunk forwarder's local queues to fill up and block forwarding totally (both groups) as they were no longer able to forward data to the second group. I'm looking into solutions by using outputs.conf, namely the tcpout settings, maxQueueSize and dropEventsOnQueueFull - a combination of these seems like it will solve our problem, however on reading the documentation here (https://docs.splunk.com/Documentation/Splunk/8.2.5/Admin/Outputsconf), under dropEventsOnQueueFull: * CAUTION: DO NOT SET THIS TO A POSITIVE INTEGER IF YOU ARE MONITORING FILES. I am monitoring files - so this seems like a deal breaker? Is somebody help me understand why we wouldn't want to configure this setting if we're monitoring files? Or should we simply set this to 0 (not a positive integer)? If there's an outage of the second tcpout group, we're fine with losing some data for that site if that's the price of keeping the forwarders continuing to report to our first tcpout group. Hope that makes sense! Thanks in advance!   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-29-2022 09:22 PM
Karma given to
View All