Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to troubleshoot why universal forwarders are reporting "Could not send data to output queue (parsingQueue), retrying..."?

prakash007
Builder
‎04-14-2016 07:41 AM

I'm getting this message below on Universal Forwarders' splunkd.log...

INFO  BatchReader - Could not send data to output queue (parsingQueue), retrying...
INFO  TailingProcessor - Could not send data to output queue (parsingQueue), retrying...
INFO  TailReader - Could not send data to output queue (parsingQueue), retrying...

I did follow this step below...

  1. grep "*blocked=true*" /opt/app/splunkforwarder/var/log/splunk/metrics.log* I don't see any blocked queues
  2. I did add limits.conf in /opt/apps/splunkforwarder/etc/system/local [thruput] maxKBps = 0

Still I see the message: 

Could not send data to output queue (parsingQueue), retrying...

What are the next options I need to look to resolve this..??

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎04-14-2016 07:48 AM

Hi mcnamara, The next options will be to verify that the forwarder has connectivity to the upstream tcpout host. This can be done by using telnet or openssl commands

openssl s_client -connect <upstreamhost>:<port>

Additionally, look at other universal forwarder installations and determine if they are able to connect. If they can, then that means that you have a problem with the one particular host in question. Otherwise there is an issue with the overall outputs.conf configuration, or a networking issue (simply no route to upstream splunk instance).

Please let me know if this helps!

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-14-2016 03:22 PM

The message itself says "outputqueue on forwarder is full", but that's usually just a symptom. The cause usually is no connectivity to the indexing tier, or full queues on the indexing tier, or some other indexing blockage.

0 Karma
Reply

prakash007
Builder
‎04-14-2016 08:29 AM

Hi muebel, I did try your command and it says connected

$ openssl s_client -connect apwebsvr:9997
CONNECTED(00000003)
3648:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

Here's our data flow... UF------->HF-------->Splunkcloud, i did telnet and openssl from UF to HF which is connecting.

I don't see this message (Could not send data to output queue (parsingQueue), retrying..) when i restart the splunk instance on UF, but it's been happening every now and then.

Based on the message in the log, is parsingQueue gets filled up on UF or HF or Indexer...? just trying to understand to get a permanent solution. Thanks..!!

0 Karma
Reply

somesoni2
Revered Legend
‎04-14-2016 07:46 AM

Is your forwarder able to connect to Indexer? Check the firewall rules etc..

0 Karma
Reply

prakash007
Builder
‎04-14-2016 08:12 AM

Yes it is connecting, i did $telnet servername port#

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...