Disabling Ingestion
LogScale has the ability to pause ingestion of data into a repository when needed.
There are a few reasons to consider blocking ingest:
the data arriving is corrupt or otherwise causing problems.
to prevent new data from arriving before you update the parser syntax.
in the case of a cluster, you may want to do this if the volume of data arriving is overwhelming your current cluster size. Ingestion could be disabled until you have time to resolve the problem.
Blocking and Unblocking Ingestion
Security Requirements and Controls
Manage Cluster
permissionManageCluster
API permission
Ingest can be blocked and unblocked from the user interface. You can specify for how long you want to prevent new events from being ingested for a specific repository.
Figure 64. Blocking Ingest-Settings
The Block Ingestion
page enables you to
temporarily block ingestion for a short period of time, after which it
will be re-enabled. This can be useful in a variety of situations where
the level of ingestion and activity are causing performance or reporting
problems.
From the
page, select the repository where you want to block ingestion.Click
, under on the side menu click .On the
Block ingestion
page, select the interval of time for which to block ingest and click or click to restart ingestion.
If you are using a log shipper, once ingestion is enabled they can reconnect and continue sending the logs so that events are not lost.
For more information, see Disabling Ingestion.
If successful, you will see a notice:
Figure 65. Blocking Ingest
Note
When the duration of the block expires, ingest is re-enabled. The maximum duration allowed is one year.
When you block ingest, all sockets opened for ingest into this repository are closed and not re-opened until the block has expired or been removed by hand. Most log shippers will simply queue up the log records when they cannot deliver them and then, when the connection is re-opened, they will ship all the missing data as well as new data from that point on.