Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk HTTP Event Collector intermittently sending "Server is busy"

hrawat_splunk
Splunk Employee
Splunk Employee
‎09-06-2023 07:30 AM

Example

ERROR HttpInputDataHandler [7000
HttpDedicatedIoThread-1] - Failed processing http input, token
name=hec-token, channel=n/a, source_IP=xxx.xxx.xxx.xxx, reply=9,
events_processed=nnn, http_input_body_size=yyyyyyy, parsing_err="Server is
busy"

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hrawat_splunk
Splunk Employee
Splunk Employee
‎09-06-2023 07:42 AM

If HEC server is continuously sending 503 reply with "Server is busy", you can discard this reply.

If HEC server is intermittently sending 503 reply with "Server is busy", then first understand following fields.

events_processed=number of events successfully inserted into pipeline queue
http_input_body_size=http POST payload size sent by HEC client


HEC server knows the http POST payload size, but it does not know how many events the payload has.
So after inserting events_processed events into the pipeline queue, HEC server receiver thread finds that now the pipeline queue is blocked. It still has some unknown number of events un-processed. Waits for 1 sec for the queue to have space to insert next event. If still not enough space in the queue, then HEC server drops remaining events of the payload and replies 503 "Server is busy".

To mitigate this problem, always ensure the parsingqueue is atleast 10 times more than the max POST payload.

In server.conf

[queue=parsingQueue] 
maxSize = <minimum 10 x (max expected POST payload size)>



View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

hrawat_splunk
Splunk Employee
Splunk Employee
‎09-06-2023 07:42 AM

If HEC server is continuously sending 503 reply with "Server is busy", you can discard this reply.

If HEC server is intermittently sending 503 reply with "Server is busy", then first understand following fields.

events_processed=number of events successfully inserted into pipeline queue
http_input_body_size=http POST payload size sent by HEC client


HEC server knows the http POST payload size, but it does not know how many events the payload has.
So after inserting events_processed events into the pipeline queue, HEC server receiver thread finds that now the pipeline queue is blocked. It still has some unknown number of events un-processed. Waits for 1 sec for the queue to have space to insert next event. If still not enough space in the queue, then HEC server drops remaining events of the payload and replies 503 "Server is busy".

To mitigate this problem, always ensure the parsingqueue is atleast 10 times more than the max POST payload.

In server.conf

[queue=parsingQueue] 
maxSize = <minimum 10 x (max expected POST payload size)>



0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...