Skip to content

Commit

Permalink
Fix rendering of diskbuffer section in configuration.md
Browse files Browse the repository at this point in the history 
* Fix rendering of diskbuffer section in `configuration.md`
  • Loading branch information
Mark Bonsack committed May 22, 2020
1 parent 1756ce3 commit 039ee8c
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions docs/configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -276,17 +276,18 @@ Without disk buffering enabled SC4S can handle up to 345K EPS (800 bytes/event a
With “Normal” disk buffering enabled SC4S can handle up to 60K EPS (800 bytes/event avg) -- This is still a lot of data!

To guard against data loss it is important to configure the appropriate type and amount of storage for SC4S disk buffering. To estimate the storage allocation, follow these steps:

* Start with your estimated maximum events per second that each SC4S server will experience. Based on the maximum throughput of SC4S with disk buffering enabled, the conservative estimate for maximum events per second would be 60K (however, you should use the maximum rate in your environment for this calculation, not the max rate SC4S can handle).
* Next is your average estimated event size based on your data sources. It is common industry practice to estimate log events as 800 bytes on average.
* Then, factor in the maximum length of connectivity downtime you want disk buffering to be able to handle. This measure is very much dependent on your risk tolerance.
* Lastly, syslog-ng imposes significant overhead to maintain its internal data structures (primarily macros) so that the data can be properly "played back" upon network restoration. This overhead currently runs at about 1.7x above the total storage size for the raw messages themselves, and can be higher for "fallback" data sources due to the overlap of syslog-ng macros (data fields) containing some or all of the original message.


For example, to protect against a full day of lost connectivity from SC4S to all your indexers at maximum throughput the calculation would look like the following...

60,000 EPS * 86400 seconds * 800 bytes * 1.7 = 6.4 TB of storage

To configure storage allocation for the SC4S disk buffering, do the following...
To configure storage allocation for the SC4S disk buffering, do the following:

* Edit the file /opt/sc4s/default/env_file
* Add the SC4S_DEST_SPLUNK_HEC_DISKBUFF_DISKBUFSIZE variable to the file and set the value to the number of bytes based on your estimation (e.g. 7050240000000 in the example above)
* Splunk does not recommend reducing the disk allocation below 500 GB
Expand Down

0 comments on commit 039ee8c

Please sign in to comment.