cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
cwhelan
Explorer
Member since: ‎04-11-2023
‎08-02-2023
Community Statistics
Posts 6
Solutions 0
Karma Given 7
Karma Received 1
Member Since ‎04-11-2023
Activity Feed
View All

Re: Processing queues blocking when thruput/event ...

by in Monitoring Splunk
‎06-30-2023 02:48 AM
‎06-30-2023 02:48 AM
Hi isoutamo, Thanks a lot for the reply. Currently, I only have backend access to all of our HFs and front end console, as everything else is in Splunk Cloud.   Would you suggest I open a Splunk support case? Or is there anything else I can do to try remediate beforehand?   Cheers, C ... View more

Processing queues blocking when thruput/event volu...

by in Monitoring Splunk
‎06-30-2023 01:44 AM
‎06-30-2023 01:44 AM
Hi guys, I am currently seeing that processing queues on one of my heavy forwarders appear to be blocking during a 6 hour period at night time when log volume being ingested is much lower (during this period, log volume ingested drops from 10 million to under 3 million events). Are there are obvious reasons as to why queue block ratios would increase at same time that thruput/event volume decreases? As I'm guessing that the opposite would generally be expected? We can see that block ratios increase at 1:00 AM below: index=_internal source=*metrics.log group=queue blocked=true host=HF max_size_kb>0 | timechart span=30m@m count by name   At the same time we can see thruput decrease below: index=_internal sourcetype=splunkd host=HF group=per_sourcetype_thruput series=* | timechart sum(kb) by series   Current queue config and context over last 24h:   I have also noticed a lot of 'Could not send data to output queue (parsingQueue), retrying' errors around the same time: index=_internal host=HFsource=*splunkd* log_level=ERROR OR log_level=WARN event_message="Could not send data to output queue (parsingQueue), retrying..." | timechart span=5m@m count by event_message         I would appreciate any answers around why queue block ratios would increase at same time that thruput/event volume decreases and also any solutions for getting average queue block ratios as close to 0 as possible - queues currently appear to be blocking throughout the day with highest block ratios occuring 1:00 - 8:00 AM. ... View more
Labels

Re: How can I find all scheduled searches that hav...

by in Splunk Search
‎05-19-2023 12:48 AM
‎05-19-2023 12:48 AM
@richgalloway By any chance, is it possible to find how much space on disk a search used? e.g. some users are running ad-hoc searches that frequently exceed 10GB in disk size. I tried editing Taruchit's search but couldn't find any fields in _audit relating to search size on disk. ... View more

Re: How can I find all scheduled searches that hav...

by in Splunk Search
‎05-18-2023 06:28 AM
1 Karma
‎05-18-2023 06:28 AM
1 Karma
Thanks a lot guys. ... View more

How can I find all scheduled searches that have a ...

by in Splunk Search
‎05-16-2023 02:33 AM
‎05-16-2023 02:33 AM
I am looking to find all scheduled searches within the environment that are using a timeframe of 'All time' e.g. if a search is scheduled to run every hour and is using timeframe of 'All time', I would like to change that search to use 'Last 60 minutes' instead. Any helpful searches would be appreciated! ... View more
Labels

How to query config files using SPL?

by in Monitoring Splunk
‎04-11-2023 03:40 AM
‎04-11-2023 03:40 AM
Hi guys,   I am currently troubleshooting some processing queue blocking issues (typing queue specifically). I need to view the current typing queue size - [queue=typingQueue] from /opt/splunk/etc/system/local/server.conf although I do not have access to SSH into the Indexer to view this config file directly. Is it possible to pull/view a full config file (server.conf/inputs.conf etc.) from a specific host by running an SPL query on the SH? Cheers, C ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎08-02-2023 04:02 AM
Karma from
View All
Karma given to