Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk HEC closes connection instead of re-using it

onlineops
Explorer
‎11-08-2024 11:19 AM

Our apps send data to the Splunk HEC via HTTP POSTS. The apps are configured to use a connection pool, but after sending data to Splunk (via HTTP POSTS), the Splunk server responds with a Status 200 and the "Connection: Close" header. This instructs our apps to close their connection instead of reusing the connection.

How can I stop this behavior? Right now it's constantly re-creating a connection thousands of times instead of just re-using the same connection.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

onlineops
Explorer
‎11-08-2024 02:37 PM

To fix this issue, we had our client insert the "Connection: Keep-Alive" header into the HTTP POST requests. This instructed the Splunk server to keep the connection alive.

View solution in original post

Reply
Solved! Jump to solution
Solution

onlineops
Explorer
‎11-08-2024 02:37 PM

To fix this issue, we had our client insert the "Connection: Keep-Alive" header into the HTTP POST requests. This instructed the Splunk server to keep the connection alive.

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-08-2024 11:19 PM

Interesting find. It's inconsistent with the docs so it calls for a support case or at least a docs feedback.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-08-2024 11:48 AM

Are your clients sending proper HTTP/1.1. Splunk should support keep-alive out of the box.

0 Karma
Reply
Solved! Jump to solution

onlineops
Explorer
‎11-08-2024 12:10 PM

Thank you for replying. Yes, the client is using HTTP 1.1 when sending the HTTP POSTS. This was verified within the packet capture.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎11-08-2024 01:02 PM

Well, this says that Splunk should normally behave properly with HTTP/1.1

https://docs.splunk.com/Documentation/Splunk/latest/Data/TroubleshootHTTPEventCollector#Detect_scali...

Another thing to consider.

forceHttp10 = [auto|never|always]
* Whether or not the REST HTTP server forces clients that connect
  to it to use the HTTP 1.0 specification for web communications.
* When set to "always", the REST HTTP server does not use some
  HTTP 1.1 features such as persistent connections or chunked
  transfer encoding.
* When set to "auto", it does this only if the client did not send
  a User-Agent header, or if the user agent is known to have bugs
  in its support of HTTP/1.1.
* When set to "never" it always allows HTTP 1.1, even to
  clients it suspects might be buggy.
* Default: auto
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...