Getting Data In

Max connection count to API?

twinspop
Influencer

I wrote a simple, REST-based proxy to query Splunk's REST API from SiteScope. The proxy manages job creation, tracking etc so that SiteScope can simply issue a GET on a URL and get easily parsable XML in return. I have 25 or so monitors that use it, and they run once per minute.

Very often the proxy gets a 503 server unavailable message from Splunk. Apparently I'm hitting a limit on the API interface? Is there a switch to adjust this?

v4.1.5

EDIT2:

My $SPLUNK_HOME/etc/system/local/authorize.conf file:

[default]
run_web_script_fields = enabled
run_web_script_surrounding_events = enabled

[role_user]
srchJobsQuota = 16

The user I am hitting the API with is in the "user" role.

Tags (3)
0 Karma

tradel
New Member

Try this in server.conf:

[managementServer]
maxBackLog = 100
requestQueueSize = 100
threadPoolSize = 100
0 Karma

twinspop
Influencer

More research from the SiteScope end: When I get the error there are at most 2 or 3 other searches running. Doesn't seem like too many.

0 Karma

twinspop
Influencer

Nope. Still getting the 503s. 😞

0 Karma

twinspop
Influencer
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...

Build and Launch AI Agents from Your Splunk Workflows

  Register We’ve all been there: juggling alerts, runbooks, and endless manual searches. What if you could ...

Splunk Cloud Application Management in Terraform

Register   On Tuesday, August 4 at 11AM PDT / 2PM EDT, we’re diving into how you can bring Infrastructure as ...