HI Graham
Thanks for the detailed reply. At the end of the day I'd say our choice of HTTP was based on multiple factors, not just one. Several of those factors are not compatible with the design of our TCP input, though as you've shown there is some overlap.
Using a TCP Input from the browser. I did not know that would work so kudos there! HTTP is layered on TCP so that makes sense, but it won't support protocol specific things like for example CORS, keep-alive, gzip encoding or honoring the auth header. Not supporting the auth header is a big one, as a big part of HEC is the security model. It is just using TCP as a transport for an HTTP message. It also won't support the specifics of our event protocol like source type etc. Sure you can use props.conf and start doing all sorts of custom extractions, but HTTP servers are built for this, and it will not be as efficient / using props will be brittle.
Stateful vs Stateless - TCP is a stateful protocol. You are establishing a persistent connection over a port which you communicate with. HTTP abstracts this away in its layering and supports optimizations like keep-alive, hence why HTTP is stateless and TCP is not. In your example it is closing the TCP connection after each request which can be expensive.
Load balancers - Yes you can load balance TCP but it is expensive. For example NGINX does have TCP load balancing but only if you pay for the premium product (NGINX Plus). There are a boat load of free (including NGINX) HTTP load balancing options out there. Also when it comes to cloud providers, not all support load balancing for TCP, but they all support HTTP.
... View more
