Could not send data to output queue (parsingQueue), retrying…
You can increase the file descriptors, etc. but you will probably still have performance issues. I am sure that the forwarder is consuming more CPU and memory than it should, too.
Even if only a portion of these files are actively being updated, Splunk will monitor ALL of them. This means that Splunk will examine the mod time of each file in a round-robin fashion. Over and over again, even though nothing has (and maybe never will) change. Because Splunk can’t know which files will or won’t be updated.
This is obviously a huge waste of machine time if most of the files are not being updated.
Here are some steps that you could take:
1. Remove the older files.
2. Rename the older files to a name, perhaps xyz.OLD. Blacklist files using the regex.OLD$ and Splunk will skip them.
3. Use the ignoreOlderThan = BE CAREFUL. ignoreOlderThan causes the monitored input to stop checking then you can’t ever add a file odler than 2 weeks into the directory. (Well, you can, but Splunk will ignore it)
4. By default the Forwarder limits its use of the network to 256 KBPS to avoid saturating the network. you can change this by editing /opt/splunk/system/local/limits.conf:
[thruput] maxKBps = 0 # means unlimited/opt/splunk/bin/splunk restart
To check the Part One Solution click on the below link :
Part One Solutions
Hope you get rid of the below message from being appearing in your log :
Could not send data to output queue (parsingQueue), retrying…
Happy Splunking !!
What’s your Reaction?
+1
+1
+1
2
+1
+1
+1
+1
