We have observed yesterday that there was around 90+% of indexing queue on our indexers.
This resulted in failed connections between Heavy Forwarders (HF) and Indexers.
Once the indexing queue receded, data from HFs started flowing to indexers and data was then written to disks.
I have a few questions regarding this :
1. Our environment hosts Splunk IT Service Intelligence and Splunk Enterprise Security, which are both premium apps. Would the searches targeting the indexers also a cause due to which there were blocked queues?
2. What is the maximum TCP connections can an Indexer accept?
3. Any inputs on how to avoid such cases in the future?
↧