Tuning Configuration Event Hub in Microsoft Cloud ...

Getting Data In

Hi,

I am having some trouble understanding the right configuration for collecting the Logs from the Event Hub of the App "Microsoft Cloud Services".
From the documentation: Configure Event Hubs it is not clear how to set these three parameters for a Log Source that collect A LOT of logs every minute.

interval --> The number of seconds to wait before the Splunk platform runs the command again. The default is 3600 seconds.
There is a way in the _internal logs to check when the command is executed?

max_batch_size --> The maximum number of events to retrieve in one batch. The default is 300.
This is pretty clear, but can we increase this value as much as we want? I believe we encounter some performance issue on that.

max_wait_time --> The maximum interval in seconds that the event processor will wait before processing. The default is 300 seconds.
Processing what? Waiting for what?

Anyone know a configuration of values between these three fields that could optimize an Event Hub with thousands and thousands of Logs ??

Get Updates on the Splunk Community!

Tuning Configuration Event Hub in Microsoft Cloud Services App

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation