I have a distributed environment with multiple indexes, search heads, and a pair of heavy forwarders. Since last days one of my HF starts to alert a issue, Monitoring Console's Health Check is warning "Saturation of event-processing queues". Besides that, the HF performance have decreased a lot, delaying event delivery and failing scripts execution. splunkd is consuming 100% of its CPU core full time.
Checking docs (*Identify and triage indexing performance problems*), they suggests to determine queue fill patern through *Monitoring Console > Indexing > Indexing Performance: Instance*. But seems it applies only to indexers, not to HF.
Please, how could I discover what is causing such issue? How could I monitor such issue, I mean to see when it starts and how long it takes in order do cross with other systems behavior? Is such info available in Monitoring Console?
Thanks in advance and regards,
Tiago
↧