Getting Data In

The aggqueue and parsingqueue consistently full / blocked - how do I increase ?

MikeyG
Explorer

Search is index="_internal" source="*metrics.log" group="queue" | timechart perc90(current_size) by name

Results are:

group=queue, name=parsingqueue, blocked!!=true, max_size=1000, filled_count=15, empty_count=0, current_size=1000, largest_size=1000, smallest_size=996

group=queue, name=aggqueue, blocked!!=true, max_size=1000, filled_count=31, empty_count=0, current_size=1000, largest_size=1000, smallest_size=930

Tags (2)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Are you actually experiencing problems with indexing throughput?

Increasing the length of the queue will probably not help. A constantly filled queue indicates that the processing that takes place on it is unable to keep up with the incoming work. Increasing the queue may give you a little room if this happens because your data comes in small bursts. If you are not experiencing indexing throughput problems, there's nothing you need to do.

If you are experiencing indexing throughput problems, there are a few options. Among them:

  • Add another indexer
  • Optimize any index-time props and transforms rules on your data, or remove unnecessary ones. These include:
    • Timestamp extraction. If you can specify explicit timestams formats, those are than having Splunk guess
    • Line merging rules. If your data is always single line, you can set SHOULD_LINEMERGE = false. You can also consider using custom LINE_BREAKER settings instead of line merging rules for multi-line data.
    • Number and efficiency of any regexes used in TRANSFORMS and SEDCMD rules

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Are you actually experiencing problems with indexing throughput?

Increasing the length of the queue will probably not help. A constantly filled queue indicates that the processing that takes place on it is unable to keep up with the incoming work. Increasing the queue may give you a little room if this happens because your data comes in small bursts. If you are not experiencing indexing throughput problems, there's nothing you need to do.

If you are experiencing indexing throughput problems, there are a few options. Among them:

  • Add another indexer
  • Optimize any index-time props and transforms rules on your data, or remove unnecessary ones. These include:
    • Timestamp extraction. If you can specify explicit timestams formats, those are than having Splunk guess
    • Line merging rules. If your data is always single line, you can set SHOULD_LINEMERGE = false. You can also consider using custom LINE_BREAKER settings instead of line merging rules for multi-line data.
    • Number and efficiency of any regexes used in TRANSFORMS and SEDCMD rules

gkanapathy
Splunk Employee
Splunk Employee

you can ignore pulldown. It just controls whether the sourcetype appears in the GUI list. the other problem may just be that you need a faster machine or faster disk.

0 Karma

MikeyG
Explorer

Indexing is very slow - added 250 mb to indices - helped some - going to the customized time stamping formats next due to mixed windows, sourcefire, and cisco data - everything is single line coming from snare and syslog so will turn on Should_linemerge = false - regexes are spot on .. and only as long as I need to pull fields from .. thanks for the help will check back. - What is the pulldown value all about - noticed it in the props.conf in default - should it be added to the local props.conf ?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...