Solved: What are the various queues in Splunk

adityapavan18 · ‎04-11-2013

I found the following configuration in my indexers

[queue]
maxSize = 500KB

[queue=AQ]
maxSize = 10MB

[queue=WEVT]
maxSize = 5MB

[queue=aggQueue]
maxSize = 1MB

[queue=fschangemanager_queue]
maxSize = 5MB

[queue=parsingQueue]
maxSize = 6MB

Can anyone help me in understanding each of those queues?

Out of those which one is indexing queue?

kristian_kolb · ‎04-11-2013

Read on. I believe that none of them are the indexingQueue.

http://splunk-base.splunk.com/answers/3250/what-does-the-queue-named-aq-how-did-it-get-blocked

http://splunk-base.splunk.com/answers/7076/questions-about-splunk-queues

http://wiki.splunk.com/Community:HowIndexingWorks <-- Good overview, but rather detailed

http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Usepersistentqueues

View solution in original post

ChrisG · ‎04-11-2013

The overview of the data pipeline and queues in the documentation is in the topic "How data moves through Splunk" in the Distributed Deployment Manual. See also inputs.conf. But I don't see anything in the spec files about these specific settings, so the Answers links that Kristian provided are your best bet. Are you having issues with blocked queues, or are you just learning and discovering?

adityapavan18 · ‎04-12-2013

In the splunk environment i am working on, I am losing data(i.e the events coming from Universal forwarder to Indexer), wanted to know if i am losing data because of queues being full.