![]() The persistent queue for TCP port 2012 is $SPLUNK_HOME/var/run/splunk/tcpin/pq_2012.Put two underscores in the file name: pq_, not pq_. The persistent queue has a hardcoded location, which varies according to the type of input.įor network inputs, the persistent queue is located at $SPLUNK_HOME/var/run/splunk//pq_. You can configure a persistent queue for a specific Windows host monitoring input. You cannot configure a persistent queue for a specific Event Log channel. The Windows Event Log monitor accepts a persistent queue configuration for the default Windows Event Log stanza only. Specify the following setting within that input stanza:.Locate or add the input stanza where you want to enable persistent queuing.On the machine that forwards data to Splunk Cloud Platform, use a text editor to open the $SPLUNK_HOME/etc/system/local/nf file for editing.You configure a persistent queue in the stanza for the specific input. Use the same procedure directly on the indexer or forwarder that sends data to the indexer. You can also configure persistent queues on Splunk Enterprise indexers. ![]() You can configure the persistent queue on the universal forwarder that you configured to send data to Splunk Cloud Platform. Use the nf configuration file to configure a persistent queue. Persistent queues aren't available for these input types: Network inputs that use the UDP protocol.Network inputs that use the TCP protocol.Persistent queues are available for these input types: Generally speaking, persistent queuing is available for inputs of an ephemeral nature, such as network inputs, but isn't available for inputs that have their own form of persistence, such as monitoring files. Persistent queuing is available for certain types of inputs, but not all. Similarly, data that is in the parsing or indexing pipeline but that has not yet been written to disk can get lost in a crash. The in-memory data can get lost if the forwarder crashes. For example, the forwarder holds some input data in the in-memory queue as well as in the persistent queue files. While persistent queues help prevent data loss if processing gets backed up, you can still lose data if the forwarder or indexer crashes. It then processes data from the in-memory and disk queues until it reaches the point when it can again start processing directly from the data stream. With persistent queuing, after the in-memory queue is full, the forwarder or indexer writes the input stream to files on disk. For other types of data inputs, the application that generates the data can get backed up.īy implementing persistent queues, you can help prevent this data drop or loss from happening. In the case where you send network data over the UDP protocol, that data drops off of the queue and gets lost. If the input stream runs at a faster rate than the forwarder or indexer can process, to a point where the input queue on the forwarder maxes out, undesired consequences occur. You can't configure persistent queues directly on a Splunk Cloud Platform instance.īy default, forwarders and indexers have an in-memory input queue of 500 KB. In a Splunk Enterprise deployment, persistent queues work for either forwarders or indexers. In a Splunk Cloud Platform deployment, persistent queues can help prevent data loss if a forwarder that you configured to send data to your Splunk Cloud Platform instance backs up. Persistent queuing lets you store data in an input queue to disk. Use persistent queues to help prevent data loss
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |