![]() While that recommendation pre-dates EC (the same text appears in pre-6.3 docs), it remains in the current (6.4) docs. is the recommended protocol for sending data from any remote host to your Splunk Enterprise server I'd be interested in results of high volume performance benchmark testing of EC versus TCP.Īccording to the Splunk docs topic "Getting Data In": I've read various Splunk blog posts and Splunk dev topics on EC (including "Introduction", "Walkthrough", and "Distributed deployment"), but I don't see any compelling reasons there to use EC when I can use TCP. perhaps I'm just not looking in the right places, or perhaps I need to enable debug logging for some category, although I'd rather not do that for ongoing "production" use.) ![]() For example, when I deliberately send badly formed JSON to EC, the data.num_of_parser_errors in the _introspection index for that time period has a value of 1, but I cannot find specific details of that error in any Splunk log. As far as I can tell, Splunk does not log the details of individual EC request errors. (I have questions about that, that I might ask - in a separate question - here on Splunk Answers. I'd prefer to capture and handle those errors via Splunk's own logging. In fact, while I want to know that there's a Splunk server listening - and I know that when I attempt to open a connection (which is why I don't want to use UDP) - I do not want to spend CPU time on the "sending" platform handling errors reported by Splunk. However, neither of these answers is compelling to me. (I've already bleated about this in the question " Can I use the HTTP Event Collector JSON event protocol for TCP inputs?".)Īnother answer: using EC - HTTP - means you get a response (in JSON) that reports the success or failure of the request. Whereas, with TCP, you have to embed the time stamp and (if you want to send multiple source types to the same TCP port) source type as fields in the event data. So, that's one answer: EC separates metadata from data. So I'm already familiar with some of the differences between EC and TCP inputs.įor example, the EC protocol enables you to specify event time and source type as metadata, whereas using TCP involves configuring timestamp recognition and overriding source type per event (in. I am successfully sending events in JSON format to a single Splunk instance via the HTTP Event Collector (EC) and TCP. I want to send events to Splunk over an IP network. I'm working on a platform that does not have a Splunk Universal Forwarder. (This question encompasses single-instance Splunk installations and multisite indexer clusters.)
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |