From ba1d03f2525735aef65975b9577c7c004e9567a3 Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Fri, 17 Jan 2020 13:52:29 -0800 Subject: [PATCH 1/2] Update batch_timeout to reflect ms units * Update batch-timeout() value from 1 to 1000 to reflect ms units. Intended value still 1 second. --- package/etc/conf.d/destinations/splunk_hec.conf.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package/etc/conf.d/destinations/splunk_hec.conf.tmpl b/package/etc/conf.d/destinations/splunk_hec.conf.tmpl index 90dc794..a67c802 100644 --- a/package/etc/conf.d/destinations/splunk_hec.conf.tmpl +++ b/package/etc/conf.d/destinations/splunk_hec.conf.tmpl @@ -6,7 +6,7 @@ destination d_hec { workers({{- getenv "SC4S_DEST_SPLUNK_HEC_WORKERS" "10"}}) batch-lines({{- getenv "SC4S_DEST_SPLUNK_HEC_BATCH_LINES" "1000"}}) batch-bytes({{- getenv "SC4S_DEST_SPLUNK_HEC_BATCH_BYTES" "4096kb"}}) - batch-timeout({{- getenv "SC4S_DEST_SPLUNK_HEC_BATCH_TIMEOUT" "1"}}) + batch-timeout({{- getenv "SC4S_DEST_SPLUNK_HEC_BATCH_TIMEOUT" "1000"}}) timeout({{- getenv "SC4S_DEST_SPLUNK_HEC_TIMEOUT" "30"}}) user_agent("sc4s/1.0 (events)") user("sc4s") From 03aff7d3052bc08ac4c5a5000f1e0c655a70d3da Mon Sep 17 00:00:00 2001 From: mbonsack Date: Mon, 20 Jan 2020 11:19:53 -0800 Subject: [PATCH 2/2] Change to 3000ms to allow for fuller batches * Change to 3000ms to allow for fuller batches; preference is for full batches over latency --- package/etc/conf.d/destinations/splunk_hec.conf.tmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/etc/conf.d/destinations/splunk_hec.conf.tmpl b/package/etc/conf.d/destinations/splunk_hec.conf.tmpl index a67c802..eb19250 100644 --- a/package/etc/conf.d/destinations/splunk_hec.conf.tmpl +++ b/package/etc/conf.d/destinations/splunk_hec.conf.tmpl @@ -6,7 +6,7 @@ destination d_hec { workers({{- getenv "SC4S_DEST_SPLUNK_HEC_WORKERS" "10"}}) batch-lines({{- getenv "SC4S_DEST_SPLUNK_HEC_BATCH_LINES" "1000"}}) batch-bytes({{- getenv "SC4S_DEST_SPLUNK_HEC_BATCH_BYTES" "4096kb"}}) - batch-timeout({{- getenv "SC4S_DEST_SPLUNK_HEC_BATCH_TIMEOUT" "1000"}}) + batch-timeout({{- getenv "SC4S_DEST_SPLUNK_HEC_BATCH_TIMEOUT" "3000"}}) timeout({{- getenv "SC4S_DEST_SPLUNK_HEC_TIMEOUT" "30"}}) user_agent("sc4s/1.0 (events)") user("sc4s") @@ -45,4 +45,4 @@ destination d_hec { event="$MSG" fields.*)') ); -}; \ No newline at end of file +};