Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Events missing via http event collector

phagunbaya
Explorer
‎12-23-2015 08:45 AM

I'm seeing a behaviour where some of my events are missing after been sent to http event collector. I'm sending single event per request. Sometimes it shows all the events and sometimes it does not. Normally it happens if the frequency is high (4-5 events per second).

Reply

splunker_2016_N
Engager
‎11-17-2016 07:16 AM

did this get fixed , even im missing a few events while running from java aws lambda

Reply

gblock_splunk
Splunk Employee
Splunk Employee
‎02-13-2016 09:16 PM

4 - 5 events per second is not high, we've designed HEC to support 100K a second on a single instance 🙂

  1. How big are the events?
  2. Are you getting a 200 OK response consistently?
  3. What is your configuration? Are you sending directly to HEC running on an indexer, or are you hosting HEC on a heavyweight forwarder and forwarding to the indexer?
0 Karma
Reply

netrc
New Member
‎02-24-2016 12:06 PM

I've seen HEC drop data with small events (100 bytes), sent 4-5/sec, for just a couple seconds (all just for testing). Each POST returns status 200 (OK). Tried this with both bash script using curl and also nodeJS; direct from the script to the HEC on the indexer. (Yes, the indexer is a little busy with other work). Over a couple hundred events, I've seen only 50% get stored.

But I'd think that getting a 200 (OK) would mean that the data is stored for sure in Splunk.

0 Karma
Reply

jplumsdaine22
Influencer
‎12-30-2015 06:52 AM

Are you getting a response from the indexer every time that the event was collected?

0 Karma
Reply

phagunbaya
Explorer
‎01-08-2016 07:19 AM

Yes. response was 200.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎12-30-2015 11:07 AM

This is a good point from jplumsdaine22... Do you confirm a 200 response and if not retry / fall back into an exception that can be handled?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...