Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Splunk HEC response time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello community, how can I build a report that allows me to know what the response time it takes for requests via HTTP Events Collector.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Response time would have to be measured from the client side. The metrics that Splunk has available for HEC performance can be found at: https://docs.splunk.com/Documentation/Splunk/latest/Data/TroubleshootHTTPEventCollector
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Response time would have to be measured from the client side. The metrics that Splunk has available for HEC performance can be found at: https://docs.splunk.com/Documentation/Splunk/latest/Data/TroubleshootHTTPEventCollector
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @masonmo for you answer,
It is correct, we have the measurement and it gives us that the average is 800ms which is very high, I don't know if it is because the Splunk Cloud instance is in Brazil.
I just wanted to know if it is possible to make that measurement also on the Splunk side.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@lufermalgo :- you can look for _indextime of your logs coming from HTTP event collector and compare with the timestamp in logs. The difference will be the response time between logs sent from source and indexed at Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you @Vijeta for you answer,
Based on your input, should I assume that an HEC request is not released until the event is written in the index?
I usually use that indicator to identify if there is a delay in writing the event in the indexes, but I'm not sure if I can also assume that it would be the response time of HEC.
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is meant by HEC response time here? The time HEC event is released from source and reaches Splunk HEC instance or Splunk indexer. The time between HEC instance(HF) to indexer would be very very small rather instant, so I would consider response time as time when event was indexed and time when event was released from the actual source.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
