Forums: SplunkGeneral: Splunk forwarders and priority

Previous Topic: Combine two similar elements into one under a custom field  |   Next Topic: conditional routing and local indexing


Posts 1–3 of 3  |  Post to this topic
1
gfoden's Mugshot posted by: gfoden  |  posts
date: November 27, 2007
permalink

If an indexing host becomes overloaded due to more data than it can handle being sent to it and the forwarders starti buffering their cooked data locally, does Splunk use a priority system once the indexers becomes available again?
I.e. does older buffered data take precedence over any new data that might be sent to Splunk or is there no such system and we should assume that the older buffered data is indexed like any other data?

2
araitz's Mugshot posted by: araitz  |  posts
date: November 27, 2007
permalink

At the present time, the scenario you described will result in the data being indexed on a first-come, first-served basis when the indexer becomes available again. We have identified this as suboptimal for several reasons, and thus several enhancement requests have been submitted to create a queuing and throttling device between forwarders and receivers. This is not yet in the road map, so I can't give you a date or version at this time.

3
gfoden's Mugshot posted by: gfoden  |  posts
date: November 28, 2007
permalink

It is interesting to know, all the same. Thanks. Indeed, some form of prioritization would be interesting in our environment (where people need real-time performance and access to their logs as quickly as possible).

Post to this topic

You must be logged in to post a reply.










close

Flash required to play this video.

Click here to download the free Flash Player.

Description:

Permalink: