Splunk Stream test environments
This page describes the various test environments used in Splunk Stream hardware performance tests.
Splunk Stream performance test results show CPU usage and Memory usage of
streamfwd for HTTP and TCP/UDP traffic over a range of workloads, both with and without SSL. Hardware performance tests are run on the following Splunk Stream features:
Splunk_TA_stream(which contains the
streamfwdbinary) running on a Universal forwarder (UF).
- Independent Stream Forwarder (
streamfwdbinary) sending data to indexers via HTTP Event Collector (HEC).
- Flow collector.
Splunk_TA_stream (UF) test environment
Splunk_TA_stream (UF) tests were run with workloads up to 1 Gbps maximum. HEC is recommended for higher bandwidth traffic.
CentOS 6.7 (64-bit). Dual Intel Xeon E5-2650 CPUs (16 2.0Ghz cores; 32 cores total). 164 GB RAM.
[streamfwd] ipAddr = 0.0.0.0 logConfig = streamfwdlog.conf port = 8889 processingThreads = 4 streamfwdcapture.0.interface = eth0 dedicatedCaptureMode = 0
The universal forwarder runs with the default Stream capture configuration.
Independent Stream Forwarder (HEC) test environment
All independent Stream Forwarder test environments use the same hardware configuration. The only difference in the test setup is the list of streams enabled.
streamfwd tests are run on the following server:
CentOS 6.7 (64-bit). Dual Intel Xeon E5-2698 v3 CPUs (16 2.3Ghz cores; 32 cores total). 64 GB RAM.
[streamfwd] ipAddr = 0.0.0.0 processingThreads = 4 dedicatedCaptureMode = 1 streamfwdcapture.0.interface = 0000:05:00.0 streamfwdcapture.1.interface = 0000:05:00.1
Independent Stream Forwarder
streamfwd (HEC) tests measure performance on four different stream configurations. These configurations determine how much traffic is sent from
streamfwd to the indexers, and how deeply the packets are inspected by
streamfwd to extract events.
|Configuration||Events forwarded to indexers||Packet inspection level|
|HTTP Raw Events||Raw Events||Deep|
|TCP/UDP Raw Events||Raw Events||Shallow|
All streams that start with Splunk_* are enabled and all other streams that forward raw events are disabled. The Splunk_* streams create an aggregate of events in various streams so that users can estimate how much indexer capacity will be taken by Stream when they turn on forwarding of various raw events.
HTTP raw events
In this configuration, only http raw events are enabled. However, since HTTP is a level 7 protocol, it must maintain state across packets to create HTTP events of interest.
TCP/UDP raw events
In this configuration, only tcp and udp raw events are enabled. This looks no higher than level 4 of the network stack and so does not need to do deeper analysis, but sends information regarding all the raw packets that it gets.
In this configuration, we calculate the number of bytes transferred for each source IP address (src_ip) for TCP and UDP protocols. The aggregation is calculated every 30 seconds. This looks no higher than level 4 of the network stack so deeper analysis is not required.
Flow collector test environment
The NetFlow collector tests are run on the following server:
CentOS 6.7 (64-bit). Dual Intel Xeon E5-2698 v3 CPUs (16 2.3Ghz cores; 32 cores total). 64 GB RAM
Protocols that map to Splunk CIM
Splunk_TA_stream (UF) test results - default configuration
This documentation applies to the following versions of Splunk Stream™: 7.3.0, 7.4.0, 8.0.0