Corrupted events using HTTPS and TCP (with SSL)

gary_byron · ‎09-10-2017

Has anyone had issues with the latest version of ta-protocol adapater corrupting the data that comes in?
We have two feeds, one a HTTPS setup receiving from Akamai and the other just a straight TCP feed (SSL enable)
The data for both of them seems to get corrupted, either the events get split, or truncated at various points.
Its not the Splunk limits as far as I can tell.

gary_byron · ‎09-11-2017

Sure, listed below. Thanks - I was also looking at the TCP buffer size also, but couldn't see what the default value was.
I had assumed it was just a number (in bytes)

[protocol://Akamai-Receiver]
bind_address = 0.0.0.0
client_auth_required = 0
index = prod_akamai
ip_version = v4
is_multicast = 0
output_type = stdout
port = 6710
protocol = http
set_broadcast = 0
set_multicast_loopback_mode = 0
sourcetype = waf:akamai:json
tcp_keepalive = 0
tcp_nodelay = 0
use_ssl = 1
keystore_pass = xxxx
keystore_path = /opt/splunk/etc/apps/IG_Certs/local/xxxx.jks
disabled = 0
server_verticle_instances = 2

Damien_Dallimor · ‎09-11-2017

Can you describe your setup configuration ? ie: the protocol:// stanza from inputs.conf would help.

Boosting your TCP receive buffer size may help , there is a field for this in the configuration.

Corrupted events using HTTPS and TCP (with SSL)

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life