Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

What are the best HEC perf tuning configs?

hrawat
Splunk Employee
Splunk Employee
‎06-13-2022 07:02 PM

What are the best HEC perf tuning configs?

Labels (3)
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hrawat
Splunk Employee
Splunk Employee
‎06-13-2022 07:04 PM

 

inputs.conf 
[http] 
dedicatedIoThreads = 8
busyKeepAliveIdleTimeout = 300 
#(useful when HEC clients are using connection pools and want to keep connections idle. Set it 2 times expected idle time of connection. )
sslServerHandshakeTimeout = 300 
#(useful when HEC clients are using connection pools and want to keep connections idle. Set it 2 times expected idle time of connection.
# Supported from M-release for cloud and on-prem 8.2.0)

On-prem Splunk version 9.4.0 and above can also use 
auto pipeline feature that scales up queues and pipelinesets instead of hardcoded values
Server.conf
[general]
autoAdjustQueue = true
pipelineSetAutoScale = true

server.conf (upto 9.3.x)
[general] 
parallelIngestionPipelines = 2 
#(never set more than 3 on indexing tier. However on SH/HF it can be set upto number of cores)
#Avoid 503 response back, have enough queue buffer for spike in ingestion
[queue=indexQueue]
maxSize = 100MB
[queue=aggQueue]
maxSize = 100MB
[queue=parsingQueue]
maxSize = 100MB #Must for HEC
[queue=httpInputQ]
maxSize = 100MB OR <10% of persistent queue size if persistent queue enabled> ##Must for HEC.
[queue=rulesetQueue]
maxSize = 100MB
[queue=typingQueue]
maxSize = 100MB
limits.conf 
[input_channels]
max_inactive = 10000 
#( ideally 2 times max(new_channels))

[input_channels] 
lowater_inactive = 9000 
#( max_inactive -1000 recommended if max_inactive > 10000)

indexes.conf 
[<PER_INDEX>] 
maxTimeUnreplicatedNoAcks=60 
#( needed if useACK=false and indexer cluster environment)
 
Note: Don't set maxSize(server.conf) or queueSize(inputs.conf) more than 10% of persistentQueueSize( if persistent queue is enabled)

View solution in original post

Tags (1)
Reply
Solved! Jump to solution

hrawat
Splunk Employee
Splunk Employee
‎08-10-2023 08:48 AM

Good catch. It was meant to be sslServerHandshakeTimeout. Will fix my answer.

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎08-10-2023 10:39 PM

Definitely an improvement, however the sslServerHandshakeTimeout is in server.conf so perhaps the answer should advise that?
It looks like it refers currently to inputs.conf

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution

hrawat
Splunk Employee
Splunk Employee
‎08-11-2023 03:21 AM

HEC specific config is in inputs.conf

https://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

0 Karma
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎08-11-2023 03:49 AM

Ok I see it now. The previous setting was in server.confirm but this setting is in inputs.conf

 

thanks

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Solved! Jump to solution
Solution

hrawat
Splunk Employee
Splunk Employee
‎06-13-2022 07:04 PM

 

inputs.conf 
[http] 
dedicatedIoThreads = 8
busyKeepAliveIdleTimeout = 300 
#(useful when HEC clients are using connection pools and want to keep connections idle. Set it 2 times expected idle time of connection. )
sslServerHandshakeTimeout = 300 
#(useful when HEC clients are using connection pools and want to keep connections idle. Set it 2 times expected idle time of connection.
# Supported from M-release for cloud and on-prem 8.2.0)

On-prem Splunk version 9.4.0 and above can also use 
auto pipeline feature that scales up queues and pipelinesets instead of hardcoded values
Server.conf
[general]
autoAdjustQueue = true
pipelineSetAutoScale = true

server.conf (upto 9.3.x)
[general] 
parallelIngestionPipelines = 2 
#(never set more than 3 on indexing tier. However on SH/HF it can be set upto number of cores)
#Avoid 503 response back, have enough queue buffer for spike in ingestion
[queue=indexQueue]
maxSize = 100MB
[queue=aggQueue]
maxSize = 100MB
[queue=parsingQueue]
maxSize = 100MB #Must for HEC
[queue=httpInputQ]
maxSize = 100MB OR <10% of persistent queue size if persistent queue enabled> ##Must for HEC.
[queue=rulesetQueue]
maxSize = 100MB
[queue=typingQueue]
maxSize = 100MB
limits.conf 
[input_channels]
max_inactive = 10000 
#( ideally 2 times max(new_channels))

[input_channels] 
lowater_inactive = 9000 
#( max_inactive -1000 recommended if max_inactive > 10000)

indexes.conf 
[<PER_INDEX>] 
maxTimeUnreplicatedNoAcks=60 
#( needed if useACK=false and indexer cluster environment)
 
Note: Don't set maxSize(server.conf) or queueSize(inputs.conf) more than 10% of persistentQueueSize( if persistent queue is enabled)
Tags (1)
Reply
Solved! Jump to solution

gjanders
SplunkTrust
SplunkTrust
‎08-10-2023 12:32 AM

Just on inputs.conf you have:

inputs.conf 
[http] 
#(useful when HEC clients are using connection pools and want to keep connections idle. Set it 2 times expected idle time of connection. )
sslServerSessionTimeout = 300

However I found that sslServerSessionTimeout appears to be in server.conf

Is that the wrong conf file?

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...