Getting Data In

Rate limiting for API or HTTP Event Collector?

Jeremiah
Motivator

Has anyone tried implementing rate-limiting on either the Splunk API, UI or the HTTP Event Collector? I'm thinking either on a per-IP, user, or token basis?

I know Splunk has built-in quotas for executing searches, but I'm thinking about the other ways you can overload a server, for example through excessive REST queries, programmatically refreshing the browser, or pushing excessive HEC events.

Maybe via load balancer, or by using an nginx frontend?

gblock_splunk
Splunk Employee
Splunk Employee

Hi Jeremiah

We don't have anything built in to rate limit access. Using something like nginx would be a good option.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!