Monitoring Splunk

Is it possible to configure HTTP Event Collector for faster response time per request?

richardAtOmni
Path Finder

I wrote a simple test to push logs to Splunk through the Http Event Collector, directly using .NET webclient. The code simply loops and pushes a web request to the collector on the Splunk instance running on my local machine.

Running this test, I'm finding that I cannot get logs into Splunk any faster than a single log line per second. The code is very simple, so I'm sure that there aren't any delays on the client side. What I'm seeing is that it usually takes up to a full second for Splunk to respond with the "OK" response. I'm concerned this will become a performance bottleneck for my application.

I'm wondering if this is the approximate expected response time per request. It almost seems like this is being intentionally throttled. If it is, is this configurable?

I understand higher performance can be achieved by batching requests, or by spawning mutliple clients and issuing these requests in parallel. I want to know however what is the throughput limit that can be achieved on a per thread basis without batching. Any insight that can be provided would be appreciated.

Thanks!

Richard

0 Karma
1 Solution

richardAtOmni
Path Finder

I figured out the problem. I had my test running through Fiddler, which was forcing it to renegotiate the SSL handshake for every request. Once I routed the test directly the response times were much better – 2ms or better.

Thanks,
Richard

View solution in original post

0 Karma

richardAtOmni
Path Finder

I figured out the problem. I had my test running through Fiddler, which was forcing it to renegotiate the SSL handshake for every request. Once I routed the test directly the response times were much better – 2ms or better.

Thanks,
Richard

0 Karma

richardAtOmni
Path Finder

Just an additional note: I measured the time each call takes to send and receive a response, and they seem to take approx. 1.35 seconds each. This is much slower than I would have expected. Is this normal?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...