Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Where to set HEC httpinputq value ?

splunk_job
Engager
‎08-13-2020 09:58 PM

This is related to HEC queue size.

When I execute "index=_internal host=abc group="queue" name="httpinputq" | eval name=name+":"+host | stats values(name) by max_size_kb" => max_size_kb value showing as 107520KB.

Based on how indexing works diagram https://wiki.splunk.com/Community:HowIndexingWorks, HEC uses httpinputq but I am not able to find anything related to httpinpuq in Splunk Docs.

I am not sure from which configuration file max_size_kb value showing as 107520KB. I verified in all server.conf and inputs.conf files, but with no luck. Need help here to understand the source of max_size_kb value.

I also referred but with no luck: https://community.splunk.com/t5/All-Apps-and-Add-ons/When-HF-with-quot-Splunk-DB-Connect-quot-send-d...

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎08-14-2020 02:26 AM

To set httpinputq, below configuration is working in server.conf

Please change queue size as per your requirement.

[queue=httpInputQ]
maxSize = 10MB

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

harsmarvania57
Ultra Champion
‎08-14-2020 02:26 AM

To set httpinputq, below configuration is working in server.conf

Please change queue size as per your requirement.

[queue=httpInputQ]
maxSize = 10MB

 

0 Karma
Reply
Solved! Jump to solution

splunk_job
Engager
‎08-26-2020 09:37 PM

server.conf and also as stated in your previous post, "queueSize" in inputs.conf also worked.

Thanks for your help and quick response on this.

https://community.splunk.com/t5/All-Apps-and-Add-ons/When-HF-with-quot-Splunk-DB-Connect-quot-send-d...

https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Inputsconf#HTTP_Event_Collector_.28HEC.29_-...

0 Karma
Reply
Solved! Jump to solution

splunk_job
Engager
‎08-14-2020 02:39 AM

Thank you for your quick response @harsmarvania57 

when I run above splunk query, existing max_size_kb value showing as 107520KB. But, I am not able to find from where this value is coming from. It's not there in any .conf files (Not in server.conf too). 

 

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎08-14-2020 02:40 AM

Have you tried to check server.conf config using btool ?

0 Karma
Reply
Solved! Jump to solution

splunk_job
Engager
‎08-16-2020 09:37 PM

@harsmarvania57 No luck with btool also. It's weird. 

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎08-17-2020 02:42 AM

In that case, you have peristent queue configured. Check inputs.conf using btool for peristent queue.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...