How to batch the app events with max of 1000 events per second when using Splunk HTTP Event Collector (HEC)

Question

I need to send the batched events to Splunk HTTP Event Collector, say 1000 events per second.

Below is the example of 5 log events that are sent to Splunk HEC -

% curl "https://splunk-example.com:8088/services/collector/raw?channel=093DCD-BC98-8UET-8AFE-8413C3825C4C&sourcetype=test_type&index=test_index"
-H "Authorization: Splunk ******-****-****-****-*********" -d '<log line 1>   <log line 2>  <log line 3>  <log line 4>

  Output:  {"text":"Success","code":0}%

So how do I configure to send the application logs as 1000 events/seconds to Splunk HEC?

What have you tried so far? What do your sourcetype's props.conf and transforms.conf files look like? — warren, Jun 23 '22 at 14:21
What "application" are you trying to configure to send to HEC? — warren, Jun 23 '22 at 14:21

score 0 · Answer 1 · edited Jun 26 '22 at 19:16

0

In your props.conf file for the sourcetype you should use "SHOULD_LINEMERGE = false". That'll break each log line into separate events.

Now, what if your event is multi line?

Then this document should help: https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Configureeventlinebreaking

edited Jun 26 '22 at 19:16

Tyler2P

2,324
26
22
31

answered Jun 23 '22 at 13:34

Scott S

11

how does linebreaking have anything to do with how many events are sent per second to the HEC? – warren Jun 23 '22 at 14:09
THe original question was unclear, fair point. My assumption was that there was an issue with splunk receiving multiple logs per second. Personally, I send thousands of logs per second to my indexers (large network syslog) with no special config whatsoever. Except for the line merging. – Scott S Jun 23 '22 at 14:46
don't assume: ask for clarifying information. SO isn't like "traditional" internet forums. The expectation is that it's a question and answer format, not a "stop some semi-/un-helpful comment and run" site :) – warren Jun 23 '22 at 14:48
Also - OP specifically asked about *batching* sending logs to HEC, not *merely* how many events could they send per second: they want to know how to send up to 1000 events at a time in a batch per second :) – warren Jun 23 '22 at 14:48

score 0 · Answer 2 · answered Jun 29 '22 at 01:06

0

The send rate configuration i.e throttling should be done on the client side. I would assume that you will not be using "plain" curl, but rather it will be some sort of script/application. So your throttling needs to be done there.

answered Jun 29 '22 at 01:06

Ilya

591
5
6

How to batch the app events with max of 1000 events per second when using Splunk HTTP Event Collector (HEC)

2 Answers2