About tyates_ctm

tyates_ctm · ‎07-26-2022

TL;DR: check `server` in `[tcpout:]` in `outputs.conf` of the server (not UFs) I got this error after migrating onto bigger servers. The cause was the `server` attribute in the `[tcpout:]` stanza in `outputs.conf` on the various members of the cluster hadn't been updated. I have no idea why, but at some point over the past 5 years that same attribute on the UFs had been pointed at different DNS records, so the indexers were receiving the important data from across the estate. Hope this helps someone.

tyates_ctm · ‎07-22-2022

Thanks for the reply @richgalloway , but that doesn't answer my question at all. I am not interested in how performant HEC is in absolute terms (I'm not even sure "very" is a particularly meaningful measure of performance). Only when compared to UF to Splunk using TCP.

tyates_ctm · ‎07-13-2022

I've had quite a good look around the internet and have been unable to find an answer to this question. This question in particular touches on it, but the performance comparison is left unanswered. We are thinking about moving away from Splunk UF to an open source solution, which will likely only support HEC. Before making this change I'd like to know any consequences on performance/resource usage on the indexers. What are the impacts on resource usage and index/search performance between UF and HEC?

Posts	3
Solutions	0
Karma Given	1
Karma Received	0
Member Since	‎07-13-2022

Online Status	Offline
Date Last Visited	‎07-26-2022 12:28 PM

Is HEC as performant as TCP?

Re: Why are we receiving this ingestion latency er...

Re: Is HEC as performant as TCP?

Is HEC as performant as TCP?