Splunk Stream test environments
This page describes the various test environments used in Splunk Stream hardware performance tests.
Splunk Stream performance test results show CPU usage and Memory usage of splunkd
and streamfwd
for HTTP and TCP/UDP traffic over a range of workloads, both with and without SSL. Hardware performance tests are run on the following Splunk Stream features:
Splunk_TA_stream
(which contains thestreamfwd
binary) running on a Universal forwarder (UF).- Independent Stream Forwarder (
streamfwd
binary) sending data to indexers via HTTP Event Collector (HEC). - Flow collector.
Splunk_TA_stream
(UF) test environment
Splunk_TA_stream
(UF) tests were run with workloads up to 1 Gbps maximum. HEC is recommended for higher bandwidth traffic.
Test hardware
CentOS 6.7 (64-bit). Dual Intel Xeon E5-2650 CPUs (16 2.0Ghz cores; 32 cores total). 164 GB RAM.
streamfwd.conf
configuration
[streamfwd] ipAddr = 0.0.0.0 logConfig = streamfwdlog.conf port = 8889 processingThreads = 4 streamfwdcapture.0.interface = eth0 dedicatedCaptureMode = 0
Stream configuration
The universal forwarder runs with the default Stream capture configuration.
Independent Stream Forwarder (HEC) test environment
All independent Stream Forwarder test environments use the same hardware configuration. The only difference in the test setup is the list of streams enabled.
Test hardware
Independent streamfwd
tests are run on the following server:
CentOS 6.7 (64-bit). Dual Intel Xeon E5-2698 v3 CPUs (16 2.3Ghz cores; 32 cores total). 64 GB RAM.
streamfwd.conf
configuration
[streamfwd] ipAddr = 0.0.0.0 processingThreads = 4 dedicatedCaptureMode = 1 streamfwdcapture.0.interface = 0000:05:00.0 streamfwdcapture.1.interface = 0000:05:00.1
Stream configurations
Independent Stream Forwarder streamfwd
(HEC) tests measure performance on four different stream configurations. These configurations determine how much traffic is sent from streamfwd
to the indexers, and how deeply the packets are inspected by streamfwd
to extract events.
Configuration | Events forwarded to indexers | Packet inspection level |
---|---|---|
Default configuration | Aggregate | Deep |
HTTP Raw Events | Raw Events | Deep |
TCP/UDP Raw Events | Raw Events | Shallow |
TCP/UDP Aggregation | Aggregate | Shallow |
} Default configurationAll streams that start with Splunk_* are enabled and all other streams that forward raw events are disabled. The Splunk_* streams create an aggregate of events in various streams so that users can estimate how much indexer capacity will be taken by Stream when they turn on forwarding of various raw events. HTTP raw eventsIn this configuration, only http raw events are enabled. However, since HTTP is a level 7 protocol, it must maintain state across packets to create HTTP events of interest. TCP/UDP raw eventsIn this configuration, only tcp and udp raw events are enabled. This looks no higher than level 4 of the network stack and so does not need to do deeper analysis, but sends information regarding all the raw packets that it gets. TCP/UDP aggregationIn this configuration, we calculate the number of bytes transferred for each source IP address (src_ip) for TCP and UDP protocols. The aggregation is calculated every 30 seconds. This looks no higher than level 4 of the network stack so deeper analysis is not required. Flow collector test environmentTest hardwareThe NetFlow collector tests are run on the following server: CentOS 6.7 (64-bit). Dual Intel Xeon E5-2698 v3 CPUs (16 2.3Ghz cores; 32 cores total). 64 GB RAM
|
Protocols that map to Splunk CIM | Splunk_TA_stream (UF) test results - default configuration |
This documentation applies to the following versions of Splunk Stream™: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3
Feedback submitted, thanks!