Summary:
After upgrading from Splunk Enterprise or Splunk Cloud 6.x to 7.x, customers are reporting a bug with HTTP Event Collector (HEC). As a result:
Some HEC events may not be getting ingested after the upgrade
There may be a reduction in performance (indexing throughput) related to HEC events.
What happened:
Splunk Enterprise and Splunk Cloud releases 7.x (“7.x”) include a limit on HTTP Event Collector (HEC) payloads of 512KB. This limit exists to prevent memory overuse. Post-7.0.x, HEC events with sizes exceeding 512KB are not resolved by the HEC parser, and may be dropped.
Which customers are impacted:
This issue may impact any customer meeting the following criteria:
Are on Splunk Enterprise or Splunk Cloud 7.x
Use HEC
Have a payload size above 512KB
... View more