Splunk® Supported Add-ons

Splunk Add-on for Microsoft Cloud Services

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Performance reference for the Azure Event Hub input in the Splunk Add-on for Microsoft Cloud Services

The following tables contain reference information about performance testing of the Azure Event Hub input in the Splunk Add-on for Microsoft Cloud Services. Use this information to enhance the performance of your own Azure Event Hub data collection tasks.

Many factors impact performance results, including file size, file compression, event size, deployment architecture, batch size for Event Hub file size, and hardware. Results represent reference information and do not represent performance in all environments.

Version 5.0.0 Event Hub performance characteristics

Common architecture setup Scenario Event type Event Size Ingest Rate IDM CPU
Splunk platform environment - Victoria Search Head Cluster
  • 1 cluster master (c5.xlarge)
  • 3 search heads (m5.2xlarge)
    • 8 CPU core
    • 16 GB RAM
  • 3 indexers (i3.4xlarge)
    • 16 CPU core
    • 122 GB RAM
  • Default TA configs
 1 input 16 partition eventhub Non-JSON 1 KB 2124 kb/s N/A
16 inputs 16 partition eventhub Non-JSON 1 KB 7018 kb/s N/A
1 input 32 partition eventhub Non-JSON 1 KB 2124 kb/s N/A
32 inputs 32 partition eventhub Non-JSON 1 KB 4093 kb/s N/A
Splunk platform environment - Classic Cluster (1 IDM)
  • 1 cluster master (c5.xlarge)
  • 3 search heads (c6i.xlarge)
    • 4 CPU core
    • 8 GB RAM
  • 3 indexers (i3.large)
    • 2 CPU core
    • 15.25 GB RAM
  • 1 Input Data Manager (IDM) (r6i.xlarge)
    • 4 CPU core
    • 32 GB RAM
  • Default TA configs
 1 input 16 partition eventhub Non-JSON 1 KB 1947 kb/s 30.60%
16 inputs 16 partition eventhub Non-JSON 1 KB 1949 kb/s 13%
1 input 32 partition eventhub Non-JSON 1 KB 1845 kb/s 30%
32 inputs 32 partition eventhub Non-JSON 1 KB 1380 kb/s 20%

Version 4.1.5 Event Eub performance characteristics

See the following performance testing data for the previous version 4.1.5.

Event Hub input performance characteristics

Common Setup Event type Event size Scenario Ingest rate Data lag IDM CPU Index CPU Bottleneck
  • 2 add-on inputs
  • 2 Event Hub partitions
  • Default Splunk Cloud platform environment
    • 1 cluster master (c5.xlarge)
    • 1 search head (c5.2xlarge)
    • 3 indexer cluster (i3.large)
    • 1 Inputs Data Manager (IDM) (r5.xlarge)
  • default TA configs
  • 1 IDM (4 cores, 32 GB memory)
JSON 1 KB Sweet Spot 187 GB/Day (2200 eps) 4 seconds 50-89% 86-92% IDX CPU utilized
Non-JSON (mcas-cef) 994 bytes Sweet Spot 133 GB/day (2000 eps) 8 seconds 65-94% 99% IDX CPU utilized

Event Hub Scale Up performance characteristics

Environment setup

Cluster setup Event Hub namespace Event Hub Add-on inputs Splunk software configurations
Scaled up Splunk Cloud platform environment
  • 1 cluster master (c5.xlarge)
  • 1 search head (c5.9xlarge)
  • 3 indexer cluster (i3.8xlarge)
    • 32 CPU cores
    • 244 GB memory
  • 2 Input Data Manager (c5.9xlarge)
    • 36 CPU cores
    • 72 GB memory
  • 2 Event Hub namespaces
  • 40 throughput units (TU) on each namespace
  • 80 throughput units (TU) in total (2*40)
  • 2 Event Hubs per namespace
  • 4 Event Hubs in total (2*2)
  • 20 partitions per Event Hub
  • 80 partitions in total (4*20)
  • 80 inputs in total (2*40)
  • 40 inputs per add-on
  • 2 add-on installed on Inputs Data Manager
  • default add-on configurations
  • max wait 10s
  • batch size 300
  • 1 add-on pulls from 1 namespace only
  • 1 add-on pulls from 2 Event Hubs on same namespace
  • 40 inputs on each add-on
  • 20 inputs on each Event Hub (20 partitions)
 Inputs Data Manager and indexer configuration


  • parallelIngestionPipelines = 8

Scale up result summary

Event type Number of inputs Event size Scenario Ingest rate Ingest Events per second Max index rate Data lag in seconds Inputs Data Manager (IDM) CPU % IDM CPU Cores % (Percentage of total IDM cores) Indexer CPU %
JSON 80 1 Kb Sweet Spot 6.106 TB/day 78K 7.55 TB/day 4s 51% 36% 30.5%
JSON 10 1 Kb Sweet Spot 1.764 TB/day 20.8K 2.19 TB/day 9s 24% 8.6% 10%
Non JSON 80 0.998 Kb Sweet Spot 5.555 TB/day 83.2K 7.22 TB/day 4s 67% 48% 47%
Non JSON 10 0.998 Kb Sweet Spot 1.595 TB/day 24K 2.07 TB/day 3s 29% 10.4% 11%
Last modified on 01 December, 2023
PREVIOUS
Lookups for the Splunk Add-on for Microsoft Cloud Services 		  NEXT
Performance reference for the Azure Storage Table input in the Splunk Add-on for Microsoft Cloud Services

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters