We had this severe issue last week - [What can be done when the parsing and aggregation queues are filled up?][1]
[1]: https://answers.splunk.com/answers/799788/what-can-be-done-when-the-parsing-and-aggregation.html
Since it took us days to figure it out and the entire indexer cluster was compromised and it took 11 hours with Support on the line to detect it, I wonder whether in general an heavy forwarder layer is a good idea.
↧