Getting Data In

Where to set HEC httpinputq value ?

splunk_job
Engager

This is related to HEC queue size.

When I execute "index=_internal host=abc group="queue" name="httpinputq" | eval name=name+":"+host | stats values(name) by max_size_kb" => max_size_kb value showing as 107520KB.

Based on how indexing works diagram https://wiki.splunk.com/Community:HowIndexingWorks, HEC uses httpinputq but I am not able to find anything related to httpinpuq in Splunk Docs.

I am not sure from which configuration file max_size_kb value showing as 107520KB. I verified in all server.conf and inputs.conf files, but with no luck. Need help here to understand the source of max_size_kb value.

I also referred but with no luck: https://community.splunk.com/t5/All-Apps-and-Add-ons/When-HF-with-quot-Splunk-DB-Connect-quot-send-d...

Labels (1)
0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

To set httpinputq, below configuration is working in server.conf

Please change queue size as per your requirement.

[queue=httpInputQ]
maxSize = 10MB

 

View solution in original post

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

To set httpinputq, below configuration is working in server.conf

Please change queue size as per your requirement.

[queue=httpInputQ]
maxSize = 10MB

 

0 Karma

splunk_job
Engager

server.conf and also as stated in your previous post, "queueSize" in inputs.conf also worked.

Thanks for your help and quick response on this.

https://community.splunk.com/t5/All-Apps-and-Add-ons/When-HF-with-quot-Splunk-DB-Connect-quot-send-d...

https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Inputsconf#HTTP_Event_Collector_.28HEC.29_-...

0 Karma

splunk_job
Engager

Thank you for your quick response @harsmarvania57 

when I run above splunk query, existing max_size_kb value showing as 107520KB. But, I am not able to find from where this value is coming from. It's not there in any .conf files (Not in server.conf too). 

 

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Have you tried to check server.conf config using btool ?

0 Karma

splunk_job
Engager

@harsmarvania57 No luck with btool also. It's weird. 

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

In that case, you have peristent queue configured. Check inputs.conf using btool for peristent queue.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...