Hey guys,
I got some question regarding parsing queue issues I have been observing on our Heavy Forwarders. I am currently seeing between 500 and 1000 blocked events on each heavy forwarder daily when running:
index=_internal host=*HF* blocked=true
The total ratio of blocked events seems to be about 10% and they mostly all seem to appear in the aggqueue:
![alt text][1]
[1]: /storage/temp/287597-capture.png
My main question is if this is reason for concern or what the impact on my current Splunk environment would be. Also why would all this blocking be in mainly one queue ?
Thank you,
Oliver
↧