Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What are the best HEC perf tuning configs?

hrawat_splunk
Splunk Employee
Splunk Employee
‎06-13-2022 07:02 PM

What are the best HEC perf tuning configs?

Labels (3)
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hrawat_splunk
Splunk Employee
Splunk Employee
‎06-13-2022 07:04 PM

 

inputs.conf 
[http] 
dedicatedIoThreads = 8
busyKeepAliveIdleTimeout = 300 
#(useful when HEC clients are using connection pools and want to keep connections idle. Set it 2 times expected idle time of connection. )
sslServerHandshakeTimeout = 300 
#(useful when HEC clients are using connection pools and want to keep connections idle. Set it 2 times expected idle time of connection.
# Supported from M-release for cloud and on-prem 8.2.0)

server.conf 
[general] 
parallelIngestionPipelines = 2 
#(never set more than 3 on indexing tier. However on SH/HF it can be set upto number of cores)
#Avoid 503 response back, have enough queue buffer for spike in ingestion
[queue=indexQueue]
maxSize = 100MB
[queue=aggQueue]
maxSize = 100MB
[queue=parsingQueue]
maxSize = 100MB #Must for HEC
[queue=httpInputQ]
maxSize = 100MB #Must for HEC
[queue=rulesetQueue]
maxSize = 100MB
[queue=typingQueue]
maxSize = 100MB
limits.conf 
[input_channels]
max_inactive = 10000 
#( ideally 2 times max(new_channels))

[input_channels] 
lowater_inactive = 9000 
#( max_inactive -1000 recommended if max_inactive > 10000)

indexes.conf 
[<PER_INDEX>] 
maxTimeUnreplicatedNoAcks=60 
#( needed if useACK=false and indexer cluster environment)
 
 

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution

hrawat_splunk
Splunk Employee
Splunk Employee
‎08-10-2023 08:48 AM

Good catch. It was meant to be sslServerHandshakeTimeout. Will fix my answer.

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎08-10-2023 10:39 PM

Definitely an improvement, however the sslServerHandshakeTimeout is in server.conf so perhaps the answer should advise that?
It looks like it refers currently to inputs.conf

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

hrawat_splunk
Splunk Employee
Splunk Employee
‎08-11-2023 03:21 AM

HEC specific config is in inputs.conf

https://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎08-11-2023 03:49 AM

Ok I see it now. The previous setting was in server.confirm but this setting is in inputs.conf

 

thanks

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution
Solution

hrawat_splunk
Splunk Employee
Splunk Employee
‎06-13-2022 07:04 PM

 

inputs.conf 
[http] 
dedicatedIoThreads = 8
busyKeepAliveIdleTimeout = 300 
#(useful when HEC clients are using connection pools and want to keep connections idle. Set it 2 times expected idle time of connection. )
sslServerHandshakeTimeout = 300 
#(useful when HEC clients are using connection pools and want to keep connections idle. Set it 2 times expected idle time of connection.
# Supported from M-release for cloud and on-prem 8.2.0)

server.conf 
[general] 
parallelIngestionPipelines = 2 
#(never set more than 3 on indexing tier. However on SH/HF it can be set upto number of cores)
#Avoid 503 response back, have enough queue buffer for spike in ingestion
[queue=indexQueue]
maxSize = 100MB
[queue=aggQueue]
maxSize = 100MB
[queue=parsingQueue]
maxSize = 100MB #Must for HEC
[queue=httpInputQ]
maxSize = 100MB #Must for HEC
[queue=rulesetQueue]
maxSize = 100MB
[queue=typingQueue]
maxSize = 100MB
limits.conf 
[input_channels]
max_inactive = 10000 
#( ideally 2 times max(new_channels))

[input_channels] 
lowater_inactive = 9000 
#( max_inactive -1000 recommended if max_inactive > 10000)

indexes.conf 
[<PER_INDEX>] 
maxTimeUnreplicatedNoAcks=60 
#( needed if useACK=false and indexer cluster environment)
 
 
Tags (1)
0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎08-10-2023 12:32 AM

Just on inputs.conf you have:

inputs.conf 
[http] 
#(useful when HEC clients are using connection pools and want to keep connections idle. Set it 2 times expected idle time of connection. )
sslServerSessionTimeout = 300

However I found that sslServerSessionTimeout appears to be in server.conf

Is that the wrong conf file?

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...