Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
This is a follow up to my earlier post on the forceTimebasedAutoLB setting for outputs.conf.
There was some discussion (read: prove it to me) on the IRC channel about how would this feature behave with multi-line events or double byte characters. Well, you will be glad to know it worked flawlessly.
My events are from a Japanese Windows instance:
I sent over 500,000 events using the oneshot command from the UF.
And it worked as expected.
Lastly, there was some talk about data munging. Meaning part of one event being incorrectly added to another event. This can happen when Splunk doesn’t break a multi-line event proper. In my test, I didn’t even setup a BREAK_ONLY_BEFORE or LINE_BREAKER rule on the indexers, and just ran with the defaults. To make sure non of the events were munged, I did a search on the size of each event:
Well there you go duckfez. Hopefully I’ve proven to you that the feature is as awesome as you hoped it would be. =)
----------------------------------------------------
Thanks!
Karandeep Bains
----------------------------------------------------
Thanks!
Karandeep Bains
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.