Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What happens to my events at Splunk Light Forwarder when the Indexer goes down?

the_wolverine
Champion
‎04-06-2010 09:44 PM

I have a bunch of Lightweight Forwarders (LWF) forwarding to my central indexer. What happens to my events when there's a problem with the indexer and it can't index when my LWFs are trying to send to it?

Reply
2 Solutions
Solved! Jump to solution
Solution

dskillman
Splunk Employee
Splunk Employee
‎04-06-2010 10:24 PM

The LWF will queue up events and try to resend. There is a maxQueue setting in outputs.conf that you can configure a larger queue. There are other settings you can tweak to cover your scenarios like dropping events or blocking if the queue fills. I would recommend spinning up another Splunk Indexer and use AutoLB and distributed search to limit losing connectivity to the indexing tier. You'll get better redundancy and better performance.

http://www.splunk.com/base/Documentation/4.1/Admin/Outputsconf

View solution in original post

Reply
Solved! Jump to solution
Solution

Dan
Splunk Employee
Splunk Employee
‎04-06-2010 10:44 PM

If the output queue fills up, all preceding Splunk processors will block. This means if you're monitoring a file or directory, the tailing processor will block and stop moving the pointers into each file. Once the indexer is up and the output queue empties, the tailing processor will unblock and the pointer will eventually catch up. You shouldn't lose data, unless the outage is so long that the file gets rolled or deleted.

If you have network inputs, no such luck.

View solution in original post

Reply
Solved! Jump to solution
Solution

Dan
Splunk Employee
Splunk Employee
‎04-06-2010 10:44 PM

If the output queue fills up, all preceding Splunk processors will block. This means if you're monitoring a file or directory, the tailing processor will block and stop moving the pointers into each file. Once the indexer is up and the output queue empties, the tailing processor will unblock and the pointer will eventually catch up. You shouldn't lose data, unless the outage is so long that the file gets rolled or deleted.

If you have network inputs, no such luck.

Reply
Solved! Jump to solution

Dan
Splunk Employee
Splunk Employee
‎04-06-2010 10:46 PM

that being said, I also recommend multiple Splunk Indexers and AutoLB. You get auto-failover in bad situations and awesome performance all other times.

0 Karma
Reply
Solved! Jump to solution

Dan
Splunk Employee
Splunk Employee
‎04-06-2010 10:45 PM

like all else, this is configurable. dropEventsOnQueueFull in outputs.conf

0 Karma
Reply
Solved! Jump to solution
Solution

dskillman
Splunk Employee
Splunk Employee
‎04-06-2010 10:24 PM

The LWF will queue up events and try to resend. There is a maxQueue setting in outputs.conf that you can configure a larger queue. There are other settings you can tweak to cover your scenarios like dropping events or blocking if the queue fills. I would recommend spinning up another Splunk Indexer and use AutoLB and distributed search to limit losing connectivity to the indexing tier. You'll get better redundancy and better performance.

http://www.splunk.com/base/Documentation/4.1/Admin/Outputsconf

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...