Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk HTTP Event Collector intermittently sending "Server is busy"

hrawat
Splunk Employee
Splunk Employee
‎09-06-2023 07:30 AM

Example

ERROR HttpInputDataHandler [7000
HttpDedicatedIoThread-1] - Failed processing http input, token
name=hec-token, channel=n/a, source_IP=xxx.xxx.xxx.xxx, reply=9,
events_processed=nnn, http_input_body_size=yyyyyyy, parsing_err="Server is
busy"

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hrawat
Splunk Employee
Splunk Employee
‎09-06-2023 07:42 AM

If HEC server is continuously sending 503 reply with "Server is busy", you can discard this reply.

If HEC server is intermittently sending 503 reply with "Server is busy", then first understand following fields.

events_processed=number of events successfully inserted into pipeline queue
http_input_body_size=http POST payload size sent by HEC client


HEC server knows the http POST payload size, but it does not know how many events the payload has.
So after inserting events_processed events into the pipeline queue, HEC server receiver thread finds that now the pipeline queue is blocked. It still has some unknown number of events un-processed. Waits for 1 sec for the queue to have space to insert next event. If still not enough space in the queue, then HEC server drops remaining events of the payload and replies 503 "Server is busy".

To mitigate this problem, always ensure the parsingqueue is atleast 10 times more than the max POST payload.

In server.conf

[queue=parsingQueue] 
maxSize = <minimum 10 x (max expected POST payload size)>



View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

hrawat
Splunk Employee
Splunk Employee
‎09-06-2023 07:42 AM

If HEC server is continuously sending 503 reply with "Server is busy", you can discard this reply.

If HEC server is intermittently sending 503 reply with "Server is busy", then first understand following fields.

events_processed=number of events successfully inserted into pipeline queue
http_input_body_size=http POST payload size sent by HEC client


HEC server knows the http POST payload size, but it does not know how many events the payload has.
So after inserting events_processed events into the pipeline queue, HEC server receiver thread finds that now the pipeline queue is blocked. It still has some unknown number of events un-processed. Waits for 1 sec for the queue to have space to insert next event. If still not enough space in the queue, then HEC server drops remaining events of the payload and replies 503 "Server is busy".

To mitigate this problem, always ensure the parsingqueue is atleast 10 times more than the max POST payload.

In server.conf

[queue=parsingQueue] 
maxSize = <minimum 10 x (max expected POST payload size)>



0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...