Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forwarder Output Compression Ratio- what is the expected bandwidth saving of a compressed stream if i activate it?

Matthias_BY
Communicator
‎06-20-2013 04:48 AM

Hello,

i can activate compression on the universal forwarder to the indexer. as i understand from the documentation and some answers entries the compression is different between ssl encryption and not.

compressed = [true|false]
* Applies to non-SSL forwarding only. For SSL useClientSSLCompression setting is used.
* If true, forwarder sends compressed data.
* If set to true, the receiver port must also have compression turned on (in its inputs.conf file).
* Defaults to false.

my question: what is the expected bandwidth saving of a compressed stream if i activate it? (useClientSSLCompression and non encrypted?

is it 1:10?

br
matthias

Labels (1)
Labels
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎06-25-2013 03:09 PM

What @bwooden and @Dimitri McKay is all true. Also, here are some rough numbers for compression ratio based on internal testing.

  1. Universal forwarder / uncooked data

    • no compression 1:1
    • "native" compression 1:8
    • SSL compression 1:14

  2. Regular forwarder / cooked data

    • no compression 1:1
    • "native" compression 1:2
    • SSL compression 1:8

View solution in original post

Reply
Solved! Jump to solution

Matthias_BY
Communicator
‎06-28-2013 08:03 AM

thanks a lot for all your valuable feedback. Hexx received the points with clear numbers - of course depending on the content within a log it may vary a little bit - but if it is going over wan it's definitely worth to enable compression and even better SSL compression. 😉

0 Karma
Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎06-25-2013 03:09 PM

What @bwooden and @Dimitri McKay is all true. Also, here are some rough numbers for compression ratio based on internal testing.

  1. Universal forwarder / uncooked data

    • no compression 1:1
    • "native" compression 1:8
    • SSL compression 1:14

  2. Regular forwarder / cooked data

    • no compression 1:1
    • "native" compression 1:2
    • SSL compression 1:8
Reply
Solved! Jump to solution

adobrzeniecki_s
Splunk Employee
Splunk Employee
‎11-15-2022 06:13 AM

Hey Hexx, is there a specific doc that shows these compression ratios? This information is fantastic! Would also like a link to the docs page if you have one. Thank you so much.

0 Karma
Reply
Solved! Jump to solution

andygerber
Path Finder
‎03-27-2022 05:44 PM

This is an old post, but as far as I can see still accurate.

Testing from an HF (azure data) to an indexer cluster, turning on SSL resulted in a 1:8 compression for very short (~65Byte) events.

Reply
Solved! Jump to solution

bwooden
Splunk Employee
Splunk Employee
‎06-25-2013 07:49 AM

Compression is achieved via zlib. Per Dimitri's answer, compression is variable based on content.

Additional information may be found here: http://splunk-base.splunk.com/answers/63384/what-kind-of-compression-is-used-between-forwarders-and-...

Reply
Solved! Jump to solution

Dimitri_McKay
Splunk Employee
Splunk Employee
‎06-25-2013 03:09 AM

That would be contingent upon the repetition and amount of empty space in the data to be compressed.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...