Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What happens to my events at Splunk Light Forwarder when the Indexer goes down?

the_wolverine
Champion
‎04-06-2010 09:44 PM

I have a bunch of Lightweight Forwarders (LWF) forwarding to my central indexer. What happens to my events when there's a problem with the indexer and it can't index when my LWFs are trying to send to it?

Reply
2 Solutions
Solved! Jump to solution
Solution

dskillman
Splunk Employee
Splunk Employee
‎04-06-2010 10:24 PM

The LWF will queue up events and try to resend. There is a maxQueue setting in outputs.conf that you can configure a larger queue. There are other settings you can tweak to cover your scenarios like dropping events or blocking if the queue fills. I would recommend spinning up another Splunk Indexer and use AutoLB and distributed search to limit losing connectivity to the indexing tier. You'll get better redundancy and better performance.

http://www.splunk.com/base/Documentation/4.1/Admin/Outputsconf

View solution in original post

Reply
Solved! Jump to solution
Solution

Dan
Splunk Employee
Splunk Employee
‎04-06-2010 10:44 PM

If the output queue fills up, all preceding Splunk processors will block. This means if you're monitoring a file or directory, the tailing processor will block and stop moving the pointers into each file. Once the indexer is up and the output queue empties, the tailing processor will unblock and the pointer will eventually catch up. You shouldn't lose data, unless the outage is so long that the file gets rolled or deleted.

If you have network inputs, no such luck.

View solution in original post

Reply
Solved! Jump to solution
Solution

Dan
Splunk Employee
Splunk Employee
‎04-06-2010 10:44 PM

If the output queue fills up, all preceding Splunk processors will block. This means if you're monitoring a file or directory, the tailing processor will block and stop moving the pointers into each file. Once the indexer is up and the output queue empties, the tailing processor will unblock and the pointer will eventually catch up. You shouldn't lose data, unless the outage is so long that the file gets rolled or deleted.

If you have network inputs, no such luck.

Reply
Solved! Jump to solution

Dan
Splunk Employee
Splunk Employee
‎04-06-2010 10:46 PM

that being said, I also recommend multiple Splunk Indexers and AutoLB. You get auto-failover in bad situations and awesome performance all other times.

0 Karma
Reply
Solved! Jump to solution

Dan
Splunk Employee
Splunk Employee
‎04-06-2010 10:45 PM

like all else, this is configurable. dropEventsOnQueueFull in outputs.conf

0 Karma
Reply
Solved! Jump to solution
Solution

dskillman
Splunk Employee
Splunk Employee
‎04-06-2010 10:24 PM

The LWF will queue up events and try to resend. There is a maxQueue setting in outputs.conf that you can configure a larger queue. There are other settings you can tweak to cover your scenarios like dropping events or blocking if the queue fills. I would recommend spinning up another Splunk Indexer and use AutoLB and distributed search to limit losing connectivity to the indexing tier. You'll get better redundancy and better performance.

http://www.splunk.com/base/Documentation/4.1/Admin/Outputsconf

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...