- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Splunk HEC Token Log ingestion slowness
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i am using HEC tokens to collect the logs from servers. Sometimes we are firing the events but the events is not coming to splunk. We have one indexer and our all tokens are managed on the indexer only. The moment we restart the indexer , all the logs will comes up frequently. If we dont restart we are not getting logs sending from HEC Tokens ?
what is the issue , how can i fix it ? why most of the time only a restart is pulling the logs ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd check the monitoring console for queues getting filled up on your indexers. When you restart, they get cleaned up so maybe that's a reason for it.
Check queue fill ratio in Indexer Performance of Monitoring Console
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd check the monitoring console for queues getting filled up on your indexers. When you restart, they get cleaned up so maybe that's a reason for it.
Check queue fill ratio in Indexer Performance of Monitoring Console
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now i checked i saw everything in 0 their , do i need to check when the issue comes again , and if its the case how can i clear those ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can't clear the queues. They are there to avoid a total Splunk crash and serve as a buffer that will get filled and emptied according to data flow rate and processing capacity. If you see that queues are full when you stop receiving events or are receiving too few events, then it is time for evaluation.
Maybe you have not adequate machines to ingest that amount of data, but I'm purely speculating. Check the indicators in the queues, and resource in general for your indexer layer to see if it is overflowing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok got it apart from it is their any other issues where we will point out the delay ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd say it has to be resource consumption, either queues filling up, RAM or CPUs, or even your network not coping with the volume, all that can be analyzed in the Monitoring Console
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi tiago , i checked again the issue came , the quefill ratio everything looks good but dont know why logging sometimes stopped then after restart of the indexer all stucked logs came is it due to less logging volume ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok thanks tiago i will monitor when net time this issue will comes up.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
