Save the HEC token that you enabled, and the URL for your event connector. ![]() Configure the remaining optional settings as necessary. During the setup, ensure that you select Enable SSL for your HEC input because VMware Secure App IX supports export of logs over HTTPS only. See Set up and use HTTP Event Collector in Splunk Web. The setup includes enabling HEC on Splunk Cloud Platform to allow use of HEC inputs. If you are hosted in Splunk Cloud, our support folks will be more than happy to take care of it for you.Īs a side note, we’ll be upping this default in our next release to 800MB, so that you are never bothered by this error again. Before you begin To use Splunk as a destination for your logs, you need to: Set up an HTTP Event Collector instance (HEC) that matches the type of Splunk software you use. To best address capacity needs, Splunk recommends that you monitor the HEC throughput and back pressure on Splunk Connect for Kubernetes deployments and be prepared to add additional nodes as needed. If you look in $SPLUNK_HOME$/etc/system/default/nf you’ll see the following:Īll you need to do is up that limit in /etc/system/local/nf and restart your Splunk instance and you’ll be good to go. Splunk Connect for Kubernetes can exceed the default throughput of HEC. Fortunately this limit is configurable via nf. The reason you are hitting this error is because HEC has a pre-defined limit on the maximum content length for the request. Splunk provides their own appenders, but at the time of this libraries creation. “Content-Length of XXXXX too large (maximum is 1000000) “Īt this point you might feel tempted to pull your hair out, but fortunately you have options. This is a Logback Appender made for Splunks HTTP Event Collector (HEC) API. Splunk Connect for Kubernetes can exceed the default throughput of HEC. ![]() Unfortunately as soon as you exceed a request payload size of close to 1MB (for example if you use our Akamai app or send events from AWS Lambda) you’ll get an error status 413, with a not so friendly error message: Once you start using HEC, you want to send it more and more data, as you do your payloads are going to increase in size, especially if you start batching. Please reference the most current documentation here. Splunk will expect the information below, which is the basic information you need to. ![]() U pdated 9/17/21: Some of the content below re: maximum content length may be outdated.
0 Comments
Leave a Reply. |