How does Splunk reconstruct events when using forc...

the_wolverine · ‎07-15-2016

According to this blog post: http://blogs.splunk.com/2014/03/18/time-based-load-balancing/

Using this setting Splunk can break
the data stream and reconstruct the
event properly on the indexer.

That's pretty awesome. How exactly does this work when autoLB breaks the event and sends each segment to a different indexer? How do the indexers figure out where the other portion of the event is for reconstruction?

diogofgm · ‎07-15-2016

The forwarder sends 64KB chunks of data to the indexer (no matter the events on it). When its forced to send data to a second indexer, it resends the last 64KB chunk again to the second indexer. So:
1 - The first indexer it will index everything before the last event break and ignore the rest (to avoid indexing an incomplete event).
2 - The second indexer will index the data after the last event break which will be complete by the following 64KB chunks data.

This works ok if the events are smaller that 64KB.

------------
Hope I was able to help you. If so, some karma would be appreciated.

the_wolverine · ‎07-15-2016

We're seeing broken events so I'm not sure if it's working as expected.

diogofgm · ‎07-19-2016

whats the size of your events? can you post a sample?

------------
Hope I was able to help you. If so, some karma would be appreciated.

dflodstrom · ‎01-05-2017

I'm also interested in the behavior of this setting. Any update for us?

How does Splunk reconstruct events when using forceTimebasedAutoLB?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases