Processors buffer configuration, process buffer 100%

cantipop · May 8, 2017, 8:19am

Hello, Where can I find some configuration on output/process/input buffer processors?
I am running version 1.3.4 on 4 graylog nodes and using 8 vCPU each.
The problem is that Process Buffer is at 100% and the graylog java process is using allt the CPU. The messages are gathering in Disk Journal and during the day we have a pover a 10 millions of messages pending in the cache (disk journal).
There is something we can do some tunning on it?
Or some documentation about the setting for output/process/input buffer processors
Thanks

jtkarvo · May 8, 2017, 9:15am

you could first try hints in this thread:

https://community.graylog.org/t/graylog-cluster-buffer-process-100-stop-process-messages/1032/1

cantipop · May 8, 2017, 11:35am

My elasticsearch cluster resides on different machines. I do not have significant load on elasticssearch cluster. I think if the elasticsearch experience issue ingesting data I could see it in load or in graylog output buffer usage, but is not the case.
I think I need more cpu power or more graylog nodes.
Thanks.

jtkarvo · May 8, 2017, 11:48am

Did you already check your extractors, as suggested in the thread I linked?

rafaelcarsetimo · May 8, 2017, 8:15pm

@jtkarvo and @cantipop.

Thanks for ALL helps. My real problem has a extractor. I made a Cluster with 5 graylog servers and 3 elasticserach nodes to balance the devices of my network (almost 200 devices, 55K messages per minute). And by elimination, discover one extractor thats stuck the process buffer. After recreate the regex, all works fine. At least 12 hours.

Regards.

jan · May 9, 2017, 7:30am

3 posts were split to a new topic: Grok optimization

cleytons · June 21, 2018, 4:34pm

I had this same problem too. Hence I followed an orientation I found in a group on the internet to install the ntp package to synchronize the clocks of my servers. My graylog server and two elasticsearch servers. After that, I had no problem with the full Process Buffer.

jan · June 22, 2018, 8:05am

That is the reason why out multinode guide recommends exactly that:

http://docs.graylog.org/en/2.4/pages/configuration/multinode_setup.html#prerequisites

We highly recommend that the system time on all systems is kept in sync via NTP or a similar mechanism. Needless to say that DNS resolution must be working, too. Because everything is a freaking DNS problem

Topic		Replies	Views
Process and output buffer is 100% utilized Graylog Central (peer support)	5	9319	July 26, 2018
Process Buffer Flooding 100% process Graylog Central (peer support)	8	4465	May 7, 2020
Optimize Process buffer at 100% Graylog Central (peer support)	4	1194	March 16, 2023
Process and output buffers are full Graylog Central (peer support)	19	8582	November 30, 2020
Process Buffer Full - How do i fault find? Graylog Central (peer support)	6	4518	June 19, 2020

Processors buffer configuration, process buffer 100%

Related Topics