All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for Kafka: spikes with very long gaps on low throughput

sonicant
Path Finder
‎05-04-2017 10:49 PM

I'm using the Splunk Add-on for Kafka to collect events from a kafka topic. The kafka server was on the same machine with splunk, so network should not be an issue.
There is a shell script continuously populating events into a certain kafka topic with 16 partitions (let's say topic "A"), when I use kafka-console-consumer.sh to check topic "A", it prints events continuously which is just as expected. So I thought my kafka setup was correct.

Now the problem is,
When I was populating the events into the topic "A" in normal speed (50-80 events per minute), the splunk add-on for Kafka fetches messages in a strange behavior, it got hundreds of events in 1 minute but "sleep" for another 6-7 minutes. Just like the chart below,
alt text

But, when I increased the populating speed to 1000 msg/s or 5000 msg/s, splunk got those messages immediately and in expected throughput, please see the screenshots below,

alt text

It seems like there is some "buffer" in the add-on which will wait for certain count of messages to flush into splunk...

btw, the Kafka version is:
kafka_2.12-0.10.2.0

the inputs.conf content:

[kafka_mod]
interval = 5

[kafka_mod://kfk1]
index = aaa
kafka_cluster = bbb
kafka_partition_offset = earliest
kafka_topic = A
kafka_topic_group = splunk
kafka_partition = 0

[kafka_mod://kfk2]
index = aaa
kafka_cluster = bbb
kafka_partition_offset = earliest
kafka_topic = A
kafka_topic_group = splunk
kafka_partition = 1

[kafka_mod://kfk3]
index = aaa
kafka_cluster = bbb
kafka_partition_offset = earliest
kafka_topic = A
kafka_topic_group = splunk
kafka_partition = 2

...
//16 partitions in total
...
Preview file
1 KB
Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

sonicant
Path Finder
‎05-07-2017 07:38 PM

The problem was solved, my colleague found some parameters controlling the batch behavior in the add-on.

View solution in original post

Reply
Solved! Jump to solution
Solution

sonicant
Path Finder
‎05-07-2017 07:38 PM

The problem was solved, my colleague found some parameters controlling the batch behavior in the add-on.

Reply
Solved! Jump to solution

sivakumarsamy
New Member
‎12-04-2018 07:30 PM

How do we get Kafka Key Value pair in Splunk. Always we see only Kafka Value, we need Kafka Key as well

0 Karma
Reply
Solved! Jump to solution

davidepiotti
Explorer
‎08-28-2017 07:34 AM

I have the same problem: I have a script writing 1 event per second on a Kafka environment but the Splunk Add-on for Kafka collects more or less 60 events on spikes every one minute.
How did you end up solving the issue?

0 Karma
Reply
Solved! Jump to solution

sonicant
Path Finder
‎05-05-2017 12:50 AM

I just tested with kafka_2.10-0.8.2.2, the same result.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...