×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
SplunkMan96
Engager
Member since: ‎07-14-2023
‎08-28-2023
Community Statistics
Posts 3
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎07-14-2023
View All

Why is parsingQueue Filling Up on UF Despite No Pa...

by in Getting Data In
‎08-25-2023 11:51 AM
‎08-25-2023 11:51 AM
I know queue backlog troubleshooting questions are very common but I'm stumped here. I have 2 Universal Forwarders forwarding locally monitored log files (populated by syslog-ng forwarding) over TCP to 4 load-balanced Heavy Forwarders, which then send them to a cluster of 8 indexers. These Universal Forwarders are processing a lot of data, approximately 500 MB per minute each, but this setup worked without lag or dropped logs up until recently. The disk IO and network speeds should be easily able to handle this volume. However, recently, the Universal Forwarders have stopped forwarding logs and the only WARN/ERROR logs in splunk.d are as follows: 08-25-2023 14:40:09.249 -0400 WARN TailReader [25677 tailreader0] - Could not send data to output queue (parsingQueue), retrying... And then, generally some seconds later: 08-25-2023 14:41:04.250 -0400 INFO TailReader [25677 tailreader0] - ...continuing. My question is this: assuming there's no bottleneck in the TCP output to the 4 HFs, what "parsing" exactly is being done on these logs that would cause the parsingQueue to fill up? I've looked at just about every UF parsingQueue related question on Splunk to find an answer, and I've addressed some common gotchas: - maxKBps in the [thruput] stanza in limits.conf is set to 0 (unlimited thruput) - 2 parallel parsing queues, each with 1 GB of storage (higher than recommended but I was desperate) - no INDEXED_EXTRACTIONS for anything but Splunk's preconfigured internal logs I've taken some other steps as well: - set up logrotate on the monitored files to rotate any file that gets larger than 1GB, so Splunk isn't monitoring exceptionally large files - set "DATETIME_CONFIG = NONE" and "SHOULD_LINEMERGE = false" for all non-internal sourcetypes I don't understand why the parsingQueue would fill up when it doesn't seem like there's any parsing actions configured on this machine! Is anyone able to advise me on what to look for or change to resolve this? Thanks much. ... View more
Labels

Re: props.conf - Issue with [<spec>] regex-like sy...

by in Getting Data In
‎07-14-2023 01:23 PM
‎07-14-2023 01:23 PM
This works, thanks! Using [(?::){0}Snare:Security|XmlWinEventLog]as the stanza specifier applies the rules to both sourcetypes. In response to the original reply, I would combine the sourcetypes, but they do have meaningfully different formats. As you can see, some come direct from Windows machines in XML format and some are forwarded over syslog using Snare, and have been converted to TSV format. I've translated fields into CIM format for each case, but the raw text still differs, so I feel the sourcetype should as well. I could, of course, copy the same text to two stanzas, but in my opinion that's pretty messy. I tried adding wildcards to the sourcetype, but it doesn't work as intended. This isn't intended to be actual regex, but the regex-like syntax encompassing those four operators (..., *, |, ()) specified in Splunk's props.conf definition. ... View more

props.conf - Issue with [<spec>] regex-like syntax

by in Getting Data In
‎07-14-2023 12:46 PM
‎07-14-2023 12:46 PM
I'm trying to specify a single stanza in props.conf, with FIELDALIAS and EVAL expressions, for two different sourcetypes, "Snare:Security" and "XmlWinEventLog". However, when I use an OR pipe to specify both sourcetypes in the [<spec>], like so: [Snare:Security|XmlWinEventLog] neither sourcetype has the rules applied to it. Inspecting "source types" in my search head shows that the rules have been applied to the sourcetype "Snare:Security|XmlWinEventLog", instead of both the individual sourcetypes. Am I not using the pipe correctly? Per the splunk documentation: **[<spec>] stanza patterns:** When setting a [<spec>] stanza, you can use the following regex-type syntax: ... recurses through directories until the match is met or equivalently, matches any number of characters. * matches anything but the path separator 0 or more times. The path separator is '/' on unix, or '\' on Windows. Intended to match a partial or complete directory or filename. | is equivalent to 'or' ( ) are used to limit scope of |. \\ = matches a literal backslash '\'. It seems like it should work. I've tried placing parenthesis around the whole expression and around each individual sourcetype. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-28-2023 03:30 PM
Karma given to
View All