Hello,   This is the answer of Splunk Support : This behaviour is as designed. HTTP requests that do not supply User-Agent header are not trusted to be "true" HTTP/1.1 peers, therefore they are closed on completion. To take advantage of persistent connections, please set the User-Agent header in the request.   Best regards, Shini  ... View more

Hello, Full agree with you about this point.  Also, I write to Splunk support for asking them why they decided to implement the HEC server with a mix of HTTP/1.0 and HTTP/1.1 version without repecting the HTTP RFC. I am waiting the answer ! Also, I modify the omhttp module of Rsyslog to add an User-Agent header into all ost request for Splunk HEC to avoid this behavior for user like us. Information for you : In the version 8.2512 Rsyslog, I added the support of HEC Splunk server directly into the Omhttp code, so I simplify the use of omhttp and Splunk HEC. And in the next version, I rewrite the core of omhttp to optimize this module and to be able to send about ten Tb of data to multiple HEC servers. (I already use it on my side and it is faster than an UF). Best regards, Shini ... View more

Hello, I did the same test as you and I have got the same result. When you use the HEC you need to specify an "User-Agent" to use the HTTP/1.1 version. I did this test : action(name="omhttptest" type="omhttp" server="10.10.10.10" serverport="8088" profile="hec:splunk:event" template="tpl_omhttp_json_hec" token="X-X-X-X" errorfile="/var/log/omhttp_test_errors.log" statsbysenders="on" batch="on" httpheaders=["User-Agent: Rsyslog"] ) This behaviour is also available when you force HEC to accept only HTTP/1.1 with the params forceHttp10 = never For me, this is not a good implementation of the HTTP/1.1 protocol because, in this version of HTTP the params "User-Agent" is "should" and not "must"   For next step, I will ask Splunk why they decided to do like that. I will also do another PR to Rsyslog to patch this behaviour and add a custom User-Agent into the code of Omhttp in the profile HEC Splunk.   Thanks for your help @PickleRick    Best regards,       ... View more

Hello,   The keep-alive params in omhttp is in its own code. Those default params are : CURLOPT_TCP_KEEPALIVE -> 1 (activation of TCP keep-alive) CURLOPT_TCP_KEEPIDLE -> 120s  CURLOPT_TCP_KEEPINTVL -> 60s Also the header "Connectio: Keep-alive" is normaly not necesary if you use HTTP/1.1, this header is for HTTP/1.0. I tested with the addition of this  HTTP header to my request to check if this parms change something but it was an failed.   Also, I do not know why the POST answer of the HEC server code 200 add every time the header "Connection: close". It seems like the implementing of the HEC server is a mix between HTTP/1.1 and HTTP.1.0. Best regards, Shini      ... View more

Hello, I checked if my server used HTTP/1.0 version, and not the case. The connection between my server and the HEC is in HTTP/1.1. Also, the HTTP header "Connection: Keep-Alive" is correctly added in the HTTP header. I opened a case to the Splunk support to ask the why the HEC ignore keep-alive. Best regards Shini ... View more

Hello @PickleRick, The value is set to auto. But I do not think this is the main problem. For me, the HEC has a "hidden" params to force the HEC accepting Keep-Alive because as show in the previous comment, the HEC answers with "Connection: close" at each request.   Best regards, Shini ... View more

Hello @PickleRick, I already check the omhttp behaviour during a TCP session. The flow is like that : Rsyslog send SYN -> HEC send SYN ACK -> Rsyslog send PUSH (batch data of 1 Mb) -> HEC send PUSH (with answer {"text":"Success","code":0}) -> Rsyslog receive data -> HEC send TCP FIN -> Rsyslog answer TCP FIN  Example of Header send by Rsyslog to the POST Request : (Connection: Keep-Alive) POST /services/collector/event HTTP/1.1 Host: X.X.X.X:8088 Accept: */* Content-Type: text/plain Connection: Keep-Alive Authorization: Splunk XXX-XXX-XXX-XXX-XXXX Content-Length: 624 The HEC always anwer like that : Date: Thu, 18 Dec 2025 20:40:34 GMT Content-Type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff Content-Length: 27 Vary: Authorization Connection: Close X-Frame-Options: SAMEORIGIN Server: Splunkd   So this is little bit "Magic". And if use HTTPS, this is an overload on my server, because I have one TLS handshake by each HTTP request... I do not know if someone has this "problem"    Best regards, Shini ... View more

Hello @livehybrid , In this case , there is not Proxy or Firewall between my server and the HEC server (hosted on an indexer). I set up the idle as good as it needs to be and the KeepAlive (Rsyslog side) is set up at 120 seconds. In my case I do more than one thousand HTTP request every seconds so I really need the TCP session to stay opened. Headers are correctly set and I use HTTP 1.1 version. So I do not know if I need to set the params « forceHttp10 » to « never » or another param. best regards shini ... View more