Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How does Splunk reconstruct events when using forceTimebasedAutoLB?

the_wolverine
Champion
‎07-15-2016 11:03 AM

According to this blog post: http://blogs.splunk.com/2014/03/18/time-based-load-balancing/

Using this setting Splunk can break
the data stream and reconstruct the
event properly on the indexer.

That's pretty awesome. How exactly does this work when autoLB breaks the event and sends each segment to a different indexer? How do the indexers figure out where the other portion of the event is for reconstruction?

Reply

diogofgm
SplunkTrust
SplunkTrust
‎07-15-2016 11:26 AM

The forwarder sends 64KB chunks of data to the indexer (no matter the events on it). When its forced to send data to a second indexer, it resends the last 64KB chunk again to the second indexer. So:
1 - The first indexer it will index everything before the last event break and ignore the rest (to avoid indexing an incomplete event).
2 - The second indexer will index the data after the last event break which will be complete by the following 64KB chunks data.

This works ok if the events are smaller that 64KB.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

the_wolverine
Champion
‎07-15-2016 01:22 PM

We're seeing broken events so I'm not sure if it's working as expected.

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎07-19-2016 08:24 AM

whats the size of your events? can you post a sample?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

dflodstrom
Builder
‎01-05-2017 06:17 AM

I'm also interested in the behavior of this setting. Any update for us?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...