Reputation: 335
How to batch the app events with max of 1000 events per second when using Splunk HTTP Event Collector (HEC)
I need to send the batched events to Splunk HTTP Event Collector, say 1000 events per second.
Below is the example of 5 log events that are sent to Splunk HEC -
% curl "https://splunk-example.com:8088/services/collector/raw?channel=093DCD-BC98-8UET-8AFE-8413C3825C4C&sourcetype=test_type&index=test_index"
-H "Authorization: Splunk ******-****-****-****-*********" -d '<log line 1> <log line 2> <log line 3> <log line 4>
Output: {"text":"Success","code":0}%
So how do I configure to send the application logs as 1000 events/seconds to Splunk HEC?
Upvotes: 1
Views: 824
Answers (2)
Reputation: 734
The send rate configuration i.e throttling should be done on the client side. I would assume that you will not be using "plain" curl, but rather it will be some sort of script/application. So your throttling needs to be done there.
Upvotes: 0
Reputation: 11
In your props.conf file for the sourcetype you should use "SHOULD_LINEMERGE = false". That'll break each log line into separate events.
Now, what if your event is multi line?
Then this document should help: https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Configureeventlinebreaking
Upvotes: 0
Related Questions
- Splunk cli search to get all events
- Splunk HEC - Disable multiline event splitting due to timestamp
- Splunk: Throttling of alerts
- Splunk searching event logs to find values exceeding a given threshold
- Splunk HttpEventCollectorLogbackAppender how to set source and host?
- Calculating event throughput in splunk
- Splunk HEC: Start sending events in JSON format with pre existing raw events
- HTTP Event Collector: How to send logs to Splunk Cloud from command line using curl?
- How get max count of request in time in splunk
- How can I create a Splunk App dynamically by Splunk Java or C# SDK