Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

An issue with the HTTP Event Collector (HEC) has been identified in Splunk 7.x

jmaher_splunk
Splunk Employee
Splunk Employee
‎07-26-2018 08:55 AM

Summary:
After upgrading from Splunk Enterprise or Splunk Cloud 6.x to 7.x, customers are reporting a bug with HTTP Event Collector (HEC). As a result:

  • Some HEC events may not be getting ingested after the upgrade
  • There may be a reduction in performance (indexing throughput) related to HEC events.

What happened:
Splunk Enterprise and Splunk Cloud releases 7.x (“7.x”) include a limit on HTTP Event Collector (HEC) payloads of 512KB. This limit exists to prevent memory overuse. Post-7.0.x, HEC events with sizes exceeding 512KB are not resolved by the HEC parser, and may be dropped.

Which customers are impacted:
This issue may impact any customer meeting the following criteria:

  1. Are on Splunk Enterprise or Splunk Cloud 7.x
  2. Use HEC
  3. Have a payload size above 512KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jmaher_splunk
Splunk Employee
Splunk Employee
‎07-26-2018 02:36 PM

Resolution:

  • Splunk is working on a resolution to ensure the HEC module in Splunk Enterprise and Splunk Cloud 7.x is more tolerant of larger payloads by default, and we also plan to make the limit configurable to suit specific needs.
  • Splunk Cloud customers that are potentially impacted, will be contacted over the next few weeks to schedule a maintenance window
  • For Splunk Enterprise customers that are potentially impacted, this will be fixed in 7.0.5 (ETA July 27) and 7.1.3 (End of August). We will post to this thread as the maintenance releases are available.

View solution in original post

Reply
Solved! Jump to solution
Solution

jmaher_splunk
Splunk Employee
Splunk Employee
‎07-26-2018 02:36 PM

Resolution:

  • Splunk is working on a resolution to ensure the HEC module in Splunk Enterprise and Splunk Cloud 7.x is more tolerant of larger payloads by default, and we also plan to make the limit configurable to suit specific needs.
  • Splunk Cloud customers that are potentially impacted, will be contacted over the next few weeks to schedule a maintenance window
  • For Splunk Enterprise customers that are potentially impacted, this will be fixed in 7.0.5 (ETA July 27) and 7.1.3 (End of August). We will post to this thread as the maintenance releases are available.
Reply
Solved! Jump to solution

adammike
New Member
‎06-19-2019 02:57 PM

and we also plan to make the limit configurable to suit specific needs

How do I configure this? I can't find anything in the docs or online

0 Karma
Reply
Solved! Jump to solution

sylim_splunk
Splunk Employee
Splunk Employee
‎08-19-2020 06:33 PM 
maxEventSize = <positive integer>[KB|MB|GB]
* The maximum size of a single HEC (HTTP Event Collector) event.

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Inputsconf 

0 Karma
Reply
Solved! Jump to solution

shankern
Explorer
‎07-30-2018 10:53 PM

Is gzip content encoding header supported on HEC ? Would be useful while posting large payloads.

0 Karma
Reply
Solved! Jump to solution

jmaher_splunk
Splunk Employee
Splunk Employee
‎07-28-2018 12:07 AM

Update:

The latest maintenance release, 7.0.5, for Splunk Enterprise and Splunk UniversalForwarder are now available from the Download site.
Please note as 7.0.5 is not the latest version, you can find it under the “Older Releases” section.

Download: https://www.splunk.com/en_us/download.html
Known Issues: http://docs.splunk.com/Documentation/Splunk/7.0.5/ReleaseNotes/Knownissues
Fixed Issues: http://docs.splunk.com/Documentation/Splunk/7.0.5/ReleaseNotes/Fixedissues

0 Karma
Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...

Enterprise Security Content Update (ESCU) | New Releases

In March, the Splunk Threat Research Team had 2 releases of security content via the Enterprise Security ...

Join the Splunk Developer Program Hackathon: Splunk Build-a-thon!

The Splunk Developer Program is launching in beta, and we’re celebrating with an exciting hackathon! This is ...
Top