Followers

Thursday, May 7

Could not send data to output queue (parsingQueue), retrying... ( Part 2 )

Could not send data to output queue (parsingQueue), retrying...



You can increase the file descriptors, etc. but you will probably still have performance issues. I am sure that the forwarder is consuming more CPU and memory than it should, too.
Even if only a portion of these files are actively being updated, Splunk will monitor ALL of them. This means that Splunk will examine the mod time of each file in a round-robin fashion. Over and over again, even though nothing has (and maybe never will) change. Because Splunk can't know which files will or won't be updated.
This is obviously a huge waste of machine time if most of the files are not being updated. 

Here are some steps that you could take:
  1. Remove the older files.

  1. Rename the older files to a name, perhaps xyz.OLD. Blacklist files using the regex .OLD$ and Splunk will skip them.

  1. Use the ignoreOlderThan = <time window> in inputs.conf - but BE CAREFUL. ignoreOlderThan causes the monitored input to stop checking files for updates if their modtime has passed this threshold. So if you set it for 14d, then you can't ever add a file older than 2 weeks into the directory. (Well, you can, but Splunk will ignore it.)


  1. By default the Forwarder limits its use of the network to 256 KBPS to avoid 
     saturating the network .
     You can change this by editing /opt/splunk/etc/system/local/limits.conf:

[thruput] maxKBps = 0 # means unlimited

/opt/splunk/bin/splunk restart <enter>



To check the Part One Solution click on the below link :


               Part One Solutions



Hope you get rid of the below message from being appearing in your log :

Could not send data to output queue (parsingQueue), retrying...

Happy Splunking !!

No comments: