Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

An issue with the HTTP Event Collector (HEC) has been identified in Splunk 7.x

jmaher_splunk
Splunk Employee
Splunk Employee
‎07-26-2018 08:55 AM

Summary:
After upgrading from Splunk Enterprise or Splunk Cloud 6.x to 7.x, customers are reporting a bug with HTTP Event Collector (HEC). As a result:

  • Some HEC events may not be getting ingested after the upgrade
  • There may be a reduction in performance (indexing throughput) related to HEC events.

What happened:
Splunk Enterprise and Splunk Cloud releases 7.x (“7.x”) include a limit on HTTP Event Collector (HEC) payloads of 512KB. This limit exists to prevent memory overuse. Post-7.0.x, HEC events with sizes exceeding 512KB are not resolved by the HEC parser, and may be dropped.

Which customers are impacted:
This issue may impact any customer meeting the following criteria:

  1. Are on Splunk Enterprise or Splunk Cloud 7.x
  2. Use HEC
  3. Have a payload size above 512KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jmaher_splunk
Splunk Employee
Splunk Employee
‎07-26-2018 02:36 PM

Resolution:

  • Splunk is working on a resolution to ensure the HEC module in Splunk Enterprise and Splunk Cloud 7.x is more tolerant of larger payloads by default, and we also plan to make the limit configurable to suit specific needs.
  • Splunk Cloud customers that are potentially impacted, will be contacted over the next few weeks to schedule a maintenance window
  • For Splunk Enterprise customers that are potentially impacted, this will be fixed in 7.0.5 (ETA July 27) and 7.1.3 (End of August). We will post to this thread as the maintenance releases are available.

View solution in original post

Reply
Solved! Jump to solution
Solution

jmaher_splunk
Splunk Employee
Splunk Employee
‎07-26-2018 02:36 PM

Resolution:

  • Splunk is working on a resolution to ensure the HEC module in Splunk Enterprise and Splunk Cloud 7.x is more tolerant of larger payloads by default, and we also plan to make the limit configurable to suit specific needs.
  • Splunk Cloud customers that are potentially impacted, will be contacted over the next few weeks to schedule a maintenance window
  • For Splunk Enterprise customers that are potentially impacted, this will be fixed in 7.0.5 (ETA July 27) and 7.1.3 (End of August). We will post to this thread as the maintenance releases are available.
Reply
Solved! Jump to solution

adammike
New Member
‎06-19-2019 02:57 PM

and we also plan to make the limit configurable to suit specific needs

How do I configure this? I can't find anything in the docs or online

0 Karma
Reply
Solved! Jump to solution

sylim_splunk
Splunk Employee
Splunk Employee
‎08-19-2020 06:33 PM 
maxEventSize = <positive integer>[KB|MB|GB]
* The maximum size of a single HEC (HTTP Event Collector) event.

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Inputsconf 

0 Karma
Reply
Solved! Jump to solution

shankern
Explorer
‎07-30-2018 10:53 PM

Is gzip content encoding header supported on HEC ? Would be useful while posting large payloads.

0 Karma
Reply
Solved! Jump to solution

jmaher_splunk
Splunk Employee
Splunk Employee
‎07-28-2018 12:07 AM

Update:

The latest maintenance release, 7.0.5, for Splunk Enterprise and Splunk UniversalForwarder are now available from the Download site.
Please note as 7.0.5 is not the latest version, you can find it under the “Older Releases” section.

Download: https://www.splunk.com/en_us/download.html
Known Issues: http://docs.splunk.com/Documentation/Splunk/7.0.5/ReleaseNotes/Knownissues
Fixed Issues: http://docs.splunk.com/Documentation/Splunk/7.0.5/ReleaseNotes/Fixedissues

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...