We've recently started using the Kinesis Splunk Add-on for our clustered splunk environment. We have it installed on our heavy forwarder which then forwards the events onto the splunk cluster.
We've been having issues where the kinesis streams "lag" or fall behind realtime when bulk batches of log come in. Other readers from these streams (like ELK) aren't having this issue and seem to handle the increased load just fine, only Splunk is lagging behind. Kinesis shows we are below the threshold for read/writes.
You have any pointers/tips for where to start diagnosing this issue?
↧
Amazon Kinesis Modular Input: How to troubleshoot why Kinesis streams are lagging behind real time?
↧