Solved: Is there a potential data loss with UDP?

ddrillic · ‎01-17-2019

We are forced to use UDP (and not TCP) for one client and we wonder how much data loss we might expect with UDP.

Any thoughts?

dkeck · ‎01-17-2019

HI,

this tuning tips might help you to lower the potential data loss.

https://wiki.splunk.com/Community:UDPInputs

View solution in original post

ddrillic · ‎01-17-2019

Our Sales Engineer said -

-- The best practice (not just for Splunk, really for the whole industry) is to put your UDP receiver as close as possible to the sender. Like, on the same switch if you can help it. This will minimize the lost packets that are indeed inevitable with UDP.

The other thing you should look into is whether UDP is really required. Most appliances / switches / firewalls / routers these days have an alternative way to send data. Usually an API, TCP bound syslog, a form of reliable/resilient UDP etc. Literally anything is better than basic UDP.

dkeck · ‎01-17-2019

HI,

this tuning tips might help you to lower the potential data loss.

https://wiki.splunk.com/Community:UDPInputs

ddrillic · ‎01-18-2019

Thank you @dkeck!

nswondem · ‎01-17-2019

By definition, UDP is not reliable. Try the tuning but remember that on the network layer UDP is not going to try. No handshake.

Is there a potential data loss with UDP?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes