Getting Data In

Where to set HEC httpinputq value ?

splunk_job
Engager

This is related to HEC queue size.

When I execute "index=_internal host=abc group="queue" name="httpinputq" | eval name=name+":"+host | stats values(name) by max_size_kb" => max_size_kb value showing as 107520KB.

Based on how indexing works diagram https://wiki.splunk.com/Community:HowIndexingWorks, HEC uses httpinputq but I am not able to find anything related to httpinpuq in Splunk Docs.

I am not sure from which configuration file max_size_kb value showing as 107520KB. I verified in all server.conf and inputs.conf files, but with no luck. Need help here to understand the source of max_size_kb value.

I also referred but with no luck: https://community.splunk.com/t5/All-Apps-and-Add-ons/When-HF-with-quot-Splunk-DB-Connect-quot-send-d...

Labels (1)
0 Karma
1 Solution

harsmarvania57
Ultra Champion

To set httpinputq, below configuration is working in server.conf

Please change queue size as per your requirement.

[queue=httpInputQ]
maxSize = 10MB

 

View solution in original post

0 Karma

harsmarvania57
Ultra Champion

To set httpinputq, below configuration is working in server.conf

Please change queue size as per your requirement.

[queue=httpInputQ]
maxSize = 10MB

 

0 Karma

splunk_job
Engager

server.conf and also as stated in your previous post, "queueSize" in inputs.conf also worked.

Thanks for your help and quick response on this.

https://community.splunk.com/t5/All-Apps-and-Add-ons/When-HF-with-quot-Splunk-DB-Connect-quot-send-d...

https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Inputsconf#HTTP_Event_Collector_.28HEC.29_-...

0 Karma

splunk_job
Engager

Thank you for your quick response @harsmarvania57 

when I run above splunk query, existing max_size_kb value showing as 107520KB. But, I am not able to find from where this value is coming from. It's not there in any .conf files (Not in server.conf too). 

 

0 Karma

harsmarvania57
Ultra Champion

Have you tried to check server.conf config using btool ?

0 Karma

splunk_job
Engager

@harsmarvania57 No luck with btool also. It's weird. 

0 Karma

harsmarvania57
Ultra Champion

In that case, you have peristent queue configured. Check inputs.conf using btool for peristent queue.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...