Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Which is the recommended way to input heavy load JSON data to Splunk?

wpoch
Engager
‎10-05-2015 07:54 AM

Hi everyone, I'm developing an integration with Splunk, and right now I'm using the Splunk Java SDK with the REST API and sending the events batch per documentation; the events are JSON encoded .

Now I'm considering if this is the best way to accomplish this, or should I use the TCP data inputs, or directly the Forwarders.

Any guidance will be welcome.

Thanks in advance.

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎10-06-2015 05:12 AM

While that is a perfectly good way to do it, you loose some granularity in the searches in Splunk due to the data being late coming in. The optimal way is to output to a file, and use the UF to send to Splunk. The benefits of using UF are outstanding:

  1. In the event of network communication errors, data will be backed up on the system until the connection between UF and Indexers is restored.
  2. Control over metadata for each file

That being said, you could also send directly to the new HTTP inputs in Splunk 6.3, but will be limiting your customer base until 6.3 is adopted widely.

0 Karma
Reply

wpoch
Engager
‎10-06-2015 09:54 AM

First of all, thanks for the answer.

So, in case we wan't to be able to send high throughput data over internet we keep using the REST API, and eventually migrate it to the new HTTP Event Collector. Also on controlled or on-prem environments we should use a TCP input with a previously created input on Splunk for better performance.

Finally recommend our customers, if they can install an UF use that.

We wan't to keep the UX as simple as possible, by not installing additional software (Universal Forwarder).

Kind regards,

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...