To increase performance when logging to Splunk there are two options that play a significant role in increasing throughput, workers and batch-lines.
Description: Specifies how many lines are flushed to a destination in one batch. The syslog-ng PE application waits for this number of lines to accumulate and sends them off in a single batch. Increasing this number increases throughput as more messages are sent in a single batch, but also increases message latency.
For example, if you set batch-lines() to 100, syslog-ng PE waits for 100 messages.
If the batch-timeout() option is disabled, the syslog-ng PE application flushes the messages if it has sent batch-lines() number of messages, or the queue became empty. If you stop or reload syslog-ng PE or in case of network sources, the connection with the client is closed, syslog-ng PE automatically sends the unsent messages to the destination.
If the batch-timeout() option is enabled and the queue becomes empty, syslog-ng PE flushes the messages only if batch-timeout() expires, or the batch reaches the limit set in batch-lines().
For optimal performance, make sure that the syslog-ng PE source that feeds messages to this destination is configured properly: the value of the log-iw-size() option of the source must be higher than the batch-lines()*workers() of the destination. Otherwise, the size of the batches cannot reach the batch-lines() limit. Additionally, increasing the batch-lines() option will increase the number of logs sent in a batch thus increasing throughput.
Description: Specifies the number of worker threads (at least 1) that syslog-ng PE uses to send messages to the server. Increasing the number of worker threads can drastically improve the performance of the destination.
CAUTION:
Hazard of data loss!
When you use more than one worker threads together with the disk-buffer option, syslog-ng PE creates a separate disk-buffer file for each worker thread. This means that decreasing the number of workers can result in losing data currently stored in the disk-buffer files. Do not decrease the number of workers when the disk-buffer files are in use.
If you are using load-balancing (that is, you have configured multiple servers in the url() option), increase the number of worker threads at least to the number of servers. For example, if you have set three URLs (url("site1" "site2" "site3")), set the workers() option to 3 or more.
For optimal performance, increase the number of workers to the number of indexers available within the Splunk instance receiving logs. If there are 8 indexers within Splunk, set the option as follows:
workers(8)
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center