Splunk Edge Hub OS data handling

The following topic describes Splunk Edge Hub OS memory capacity, data groups, data streamer processes, and how backlog data is handled.

On-board memory capacity

The latest version of Splunk Edge Hub OS offers 32 GB of on-board memory, 3GB of which are used by the operating system.

Data groups

The following table lists the data groups that Splunk Edge Hub OS handles, their formats, and the index for ingesting the data:

Data streamer process

Each data group has a separate data streamer process and follows a custom configuration. Currently, Splunk Edge Hub OS does not support using a universal forwarder.

The data streamers for sensors, health, and SNMP send batch requests of 10 items. The data streamer for logs sends batch requests of 5 items.

Splunk Edge Hub OS monitors if the Splunk App for Edge Hub and AR is reachable every 15 seconds. If the app cannot be reached, the Splunk Edge Hub status light ring changes from green to red and the data streamers start to use SQLite database as a backlog.

Data backlog handling

Backlogs are separate for each data streamer. The health, log, anomalies, and SNMP backlogs support a total of 100,000 data points. The sensor backlog supports a total of 3 million data points. If the limit is reached, the oldest entries are deleted first.

After the network connection is restored, the status light ring returns to green. Splunk Edge Hub OS processes the backlog using FIFO. It starts a separate thread and processes a block of the oldest 10,000 entries by sending individual batch requests of 100 items to HTTP Event Collector (HEC). Splunk Edge Hub OS repeats this process until the backlog is empty.

The limits on how backlog requests are handled are hardcoded. These limits cannot be configured.