Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Forwarder Output Compression Ratio- what is the expected bandwidth saving of a compressed stream if i activate it?

Matthias_BY
Communicator
‎06-20-2013 04:48 AM

Hello,

i can activate compression on the universal forwarder to the indexer. as i understand from the documentation and some answers entries the compression is different between ssl encryption and not.

compressed = [true|false]
* Applies to non-SSL forwarding only. For SSL useClientSSLCompression setting is used.
* If true, forwarder sends compressed data.
* If set to true, the receiver port must also have compression turned on (in its inputs.conf file).
* Defaults to false.

my question: what is the expected bandwidth saving of a compressed stream if i activate it? (useClientSSLCompression and non encrypted?

is it 1:10?

br
matthias

Labels (1)
Labels
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎06-25-2013 03:09 PM

What @bwooden and @Dimitri McKay is all true. Also, here are some rough numbers for compression ratio based on internal testing.

  1. Universal forwarder / uncooked data

    • no compression 1:1
    • "native" compression 1:8
    • SSL compression 1:14

  2. Regular forwarder / cooked data

    • no compression 1:1
    • "native" compression 1:2
    • SSL compression 1:8

View solution in original post

Reply
Solved! Jump to solution

Matthias_BY
Communicator
‎06-28-2013 08:03 AM

thanks a lot for all your valuable feedback. Hexx received the points with clear numbers - of course depending on the content within a log it may vary a little bit - but if it is going over wan it's definitely worth to enable compression and even better SSL compression. 😉

0 Karma
Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎06-25-2013 03:09 PM

What @bwooden and @Dimitri McKay is all true. Also, here are some rough numbers for compression ratio based on internal testing.

  1. Universal forwarder / uncooked data

    • no compression 1:1
    • "native" compression 1:8
    • SSL compression 1:14

  2. Regular forwarder / cooked data

    • no compression 1:1
    • "native" compression 1:2
    • SSL compression 1:8
Reply
Solved! Jump to solution

adobrzeniecki_s
Splunk Employee
Splunk Employee
‎11-15-2022 06:13 AM

Hey Hexx, is there a specific doc that shows these compression ratios? This information is fantastic! Would also like a link to the docs page if you have one. Thank you so much.

0 Karma
Reply
Solved! Jump to solution

andygerber
Path Finder
‎03-27-2022 05:44 PM

This is an old post, but as far as I can see still accurate.

Testing from an HF (azure data) to an indexer cluster, turning on SSL resulted in a 1:8 compression for very short (~65Byte) events.

Reply
Solved! Jump to solution

bwooden
Splunk Employee
Splunk Employee
‎06-25-2013 07:49 AM

Compression is achieved via zlib. Per Dimitri's answer, compression is variable based on content.

Additional information may be found here: http://splunk-base.splunk.com/answers/63384/what-kind-of-compression-is-used-between-forwarders-and-...

Reply
Solved! Jump to solution

Dimitri_McKay
Splunk Employee
Splunk Employee
‎06-25-2013 03:09 AM

That would be contingent upon the repetition and amount of empty space in the data to be compressed.

Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...