Use persistent queues to help prevent data loss

Persistent queuing lets you store data in an input queue to disk. This can help prevent data loss if the forwarder or indexer gets backed up.

By default, forwarders and indexers have an in-memory input queue of 500KB. If the input stream runs at a faster rate than the forwarder or indexer can process, to a point where the queue is maxed out, undesired consequences occur. In the case of UDP, data drops off the queue and gets lost. For other input types, the application generating the data gets backed up.

By implementing persistent queues, you can help prevent this from happening. With persistent queuing, once the in-memory queue is full, the forwarder or indexer writes the input stream to files on disk. It then processes data from the queues (in-memory and disk) until it reaches the point when it can again start processing directly from the data stream.

Note: While persistent queues help prevent data loss if processing gets backed up, you can still lose data if Splunk software crashes. For example, Splunk software holds some input data in the in-memory queue as well as in the persistent queue files. The in-memory data can get lost if a crash occurs. Similarly, data that is in the parsing or indexing pipeline but that has not yet been written to disk can get lost in the event of a crash.

When can you use persistent queues?

Persistent queuing is available for certain types of inputs, but not all. Generally speaking, it is available for inputs of an ephemeral nature, such as network inputs, but not for inputs that have their own form of persistence, such as file monitoring.

Persistent queues are available for these input types:

• TCP
• UDP
• FIFO
• Scripted inputs
• Windows Event Log inputs
• HTTP Event Collector tokens

Persistent queues are not available for these input types:

• Monitor
• Batch
• File system change monitor
• splunktcp (input from Splunk forwarders)

Configure a persistent queue

Use the inputs.conf file to configure a persistent queue.

Inputs do not share queues. You configure a persistent queue in the stanza for the specific input.

Syntax

To create the persistent queue, specify these two attributes within the particular input's stanza:

persistentQueueSize = <integer>(KB|MB|GB|TB)
* Max size of the persistent queue file on disk.
* Defaults to 0 (no persistent queue).

Example

Here's an example of specifying a persistent queue for a tcp input:

[tcp://9994]
persistentQueueSize=100MB

Persistent queue location

The persistent queue has a hardcoded location, which varies according to the input type.

For network inputs, the persistent queue is located here:

$SPLUNK_HOME/var/run/splunk/[tcpin|udpin]/pq__<port>

Note: There are two underscores in the file name: pq__<port>, not pq_<port>.

For example:

• The persistent queue for TCP port 2012: $SPLUNK_HOME/var/run/splunk/tcpin/pq__2012

• The persistent queue for UDP port 2012: $SPLUNK_HOME/var/run/splunk/udpin/pq__2012

For FIFO inputs, the persistent queue resides under $SPLUNK_HOME/var/run/splunk/fifoin/<encoded path>.

For scripted inputs, it resides under $SPLUNK_HOME/var/run/splunk/exec/<encoded path>. The FIFO/scripted input stanza in inputs.conf derives the <encoded path>.