The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Previous Topic: how much bandwidth does splunk use? | Next Topic: Line count mismatch
Posts 1–2 of 2
Hello,
I want to determine root cause of difference between raw Security Log data and the amount of traffic generated by Splunk when forwarding data. For example I got Security log which generates 34MB/hour (which is about 77kbits/sec) and Splunk forwarding only this log and using LightForwarder mode consumes about 230kbits/sec.
Can anyone explain me the difference? Is it because Security Log is stored differently than Splunk is sending the events?
Thanks, Marcin
If you're talking about Windows Security Logs, yes it is because Windows Security logs are stored very differently. They are stored in binary format, and each log only contains pointers to WinEventLog event text and names (which are stored in Windows DLLs.) Splunk's input processor has to call the Windows API to expand this data into a readable form, which does significantly increase its size. The above numbers seem about consistent with this.