Free Preparation Discussions
MENU
Splunk Exam SPLK-5002 Topic 1 Question 4 Discussion
Topic #: 1
An engineer observes a delay in data being indexed from a remote location. The universal forwarder is configured correctly.
What should they check next?
If there is a delay in data being indexed from a remote location, even though the Universal Forwarder (UF) is correctly configured, the issue is likely a queue blockage or network latency.
Steps to Diagnose and Fix Forwarder Delays:
Check Forwarder Logs (splunkd.log) for Queue Issues (A)
Look for messages like TcpOutAutoLoadBalanced or Queue is full.
If queues are full, events are stuck at the forwarder and not reaching the indexer.
Monitor Forwarder Health Using metrics.log
Use index=_internal source=*metrics.log* group=queue to check queue performance.
Incorrect Answers: B. Increase the indexer memory allocation -- Memory allocation does not resolve forwarder delays. C. Optimize search head clustering -- Search heads manage search performance, not forwarder ingestion. D. Reconfigure the props.conf file -- props.conf affects event processing, not ingestion speed.
Splunk Forwarder Troubleshooting Guide
Monitoring Forwarder Queue Performance
Makeda
2 months agoRoselle
2 months agoKallie
2 months agoTamesha
2 months agoVernell
5 days agoGerman
7 days agoDorcas
8 days agoFlo
9 days agoBarrett
10 days agoJanet
11 days agoRashida
12 days agoNoble
13 days agoAn
14 days agoPaz
15 days agoLorrine
19 days agoAnnelle
2 months agoDeonna
3 months agoPortia
3 months agoKarma
3 months agoAn
2 months agoJame
2 months agoCheryll
2 months agoBillye
3 months agoElise
3 months agoJunita
3 months ago