Your dead on. I also have not been able to find an explanation of what all of those queues do. Not even in the architect training course. I've narrowed most down but I'm still missing an explanation for the typing, stashparsing, parsing, aeq and audit queues
These are the ones I've been able to pinpoint so far with respect to their place in the data pipeline:
Inputs: tcpin, splunktcpin, fschangemanager, exec
Parsing: parsing???, stashparsing???
Merging: agg
Typing: Typing??
Indexing: index
So the issue of course is that you see a specific queue spike up and block but since its function is not documented you don't know the reason so you have to investigate elsewhere whats going on. Sometimes you don't find out until the issue get so bad that you see a direct correlation between a spike in a queue and an acute symptom in one of Splunk's many functions.
Why isn't this documented properly?
... View more