The Watchtower • Room 3

🖥️ SPL Lab: Troubleshooting Ingestion

When data stops flowing, the first place to look is the _internal index. Indexing pipeline issues, parsing errors, and queue warnings all show up there.

Common search patterns include checking for blocked queues, parsing errors, and license usage spikes.

Blocked queues (fill_perc > 90%) indicate a pipeline bottleneck — usually means the indexer or forwarder needs more resources.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

Write a search that checks the indexing queue fill percentage from _internal metrics.

Splunk Search Bar