Getting Data In

Where to set HEC httpinputq value ?

splunk_job
Engager

This is related to HEC queue size.

When I execute "index=_internal host=abc group="queue" name="httpinputq" | eval name=name+":"+host | stats values(name) by max_size_kb" => max_size_kb value showing as 107520KB.

Based on how indexing works diagram https://wiki.splunk.com/Community:HowIndexingWorks, HEC uses httpinputq but I am not able to find anything related to httpinpuq in Splunk Docs.

I am not sure from which configuration file max_size_kb value showing as 107520KB. I verified in all server.conf and inputs.conf files, but with no luck. Need help here to understand the source of max_size_kb value.

I also referred but with no luck: https://community.splunk.com/t5/All-Apps-and-Add-ons/When-HF-with-quot-Splunk-DB-Connect-quot-send-d...

Labels (1)
0 Karma
1 Solution

harsmarvania57
Ultra Champion

To set httpinputq, below configuration is working in server.conf

Please change queue size as per your requirement.

[queue=httpInputQ]
maxSize = 10MB

 

View solution in original post

0 Karma

harsmarvania57
Ultra Champion

To set httpinputq, below configuration is working in server.conf

Please change queue size as per your requirement.

[queue=httpInputQ]
maxSize = 10MB

 

0 Karma

splunk_job
Engager

server.conf and also as stated in your previous post, "queueSize" in inputs.conf also worked.

Thanks for your help and quick response on this.

https://community.splunk.com/t5/All-Apps-and-Add-ons/When-HF-with-quot-Splunk-DB-Connect-quot-send-d...

https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Inputsconf#HTTP_Event_Collector_.28HEC.29_-...

0 Karma

splunk_job
Engager

Thank you for your quick response @harsmarvania57 

when I run above splunk query, existing max_size_kb value showing as 107520KB. But, I am not able to find from where this value is coming from. It's not there in any .conf files (Not in server.conf too). 

 

0 Karma

harsmarvania57
Ultra Champion

Have you tried to check server.conf config using btool ?

0 Karma

splunk_job
Engager

@harsmarvania57 No luck with btool also. It's weird. 

0 Karma

harsmarvania57
Ultra Champion

In that case, you have peristent queue configured. Check inputs.conf using btool for peristent queue.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...