Monitoring Splunk

Is it possible to configure HTTP Event Collector for faster response time per request?

richardAtOmni
Path Finder

I wrote a simple test to push logs to Splunk through the Http Event Collector, directly using .NET webclient. The code simply loops and pushes a web request to the collector on the Splunk instance running on my local machine.

Running this test, I'm finding that I cannot get logs into Splunk any faster than a single log line per second. The code is very simple, so I'm sure that there aren't any delays on the client side. What I'm seeing is that it usually takes up to a full second for Splunk to respond with the "OK" response. I'm concerned this will become a performance bottleneck for my application.

I'm wondering if this is the approximate expected response time per request. It almost seems like this is being intentionally throttled. If it is, is this configurable?

I understand higher performance can be achieved by batching requests, or by spawning mutliple clients and issuing these requests in parallel. I want to know however what is the throughput limit that can be achieved on a per thread basis without batching. Any insight that can be provided would be appreciated.

Thanks!

Richard

0 Karma
1 Solution

richardAtOmni
Path Finder

I figured out the problem. I had my test running through Fiddler, which was forcing it to renegotiate the SSL handshake for every request. Once I routed the test directly the response times were much better – 2ms or better.

Thanks,
Richard

View solution in original post

0 Karma

richardAtOmni
Path Finder

I figured out the problem. I had my test running through Fiddler, which was forcing it to renegotiate the SSL handshake for every request. Once I routed the test directly the response times were much better – 2ms or better.

Thanks,
Richard

0 Karma

richardAtOmni
Path Finder

Just an additional note: I measured the time each call takes to send and receive a response, and they seem to take approx. 1.35 seconds each. This is much slower than I would have expected. Is this normal?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...