Will have a very variable throughput. Some time with a lot of Http request (about 100.000 per seconds during one minute) and some minutes without any request.
I suppose that splunk do some buffering for dealing with high volume.
Is there a configuration parameter to configure the 'max flush time'. This time is the max amount of time that splunk will wait some new event for filling its buffer ?
In other term splunk will decide to send events event the buffer is half filled.
We want to be sure that if we wait X seconds after the last message receive by our system, we don't miss some event awaiting others in any buffer.