Activate HTTP/2 to enhance Splunk Web performance

Activate HTTP/2 for Splunk Web to improve page load performance, support parallel browsing activity, and provide more efficient, secure handling of web traffic.

The HTTP/2 protocol uses multiplexed communication between Splunk Web and splunkd to handle browsing activity in parallel, rather than sequentially, like HTTP/1.1. This significantly enhances web performance, especially when you manage multiple browser tabs, complex dashboards, and simultaneous searches or pivots.

Note: The HTTP/2 protocol is supported on Linux and macOS operating systems.
Key benefits of activating the HTTP/2 protocol include:

  • Faster page loads for workflows that trigger multiple simultaneous requests.

  • More efficient handling of parallel requests with less waiting during heavy parallel interaction.

  • Improved security.

HTTP/2 binary and logs

Splunk Enterprise uses the nghttpx proxy service to handle the HTTP/2 protocol. The nghttpx proxy service starts and stops with splunkd.

You can find the binaries and log files in the following folders:

  • Binary: $SPLUNK_HOME/bin/nghttpx/

  • Proxy logs: $SPLUNK_HOME/var/log/nghttpx/

    These logs are automatically ingested into the _internal index for system health monitoring.

Prerequisites

Before activating the HTTP/2 protocol, ensure your environment meets the following requirements:

  • Supported operating systems: Linux and macOS.

    The HTTP/2 protocol is not supported on Windows.

  • Ensure Secure Sockets Layer (SSL) / Transport Layer Security (TLS) is turned on for Splunk Web. The HTTP/2 proxy (nghttpx) requires a valid certificate to start.

  • By default, the service uses the existing Splunk Web certificate and private key.

    If you need to use specific certificates, you can override the defaults using the privKeyPath and serverCert settings within the configuration stanza.

Activate HTTP/2

The HTTP/2 protocol is deactivated by default (auto_start = false). To activate HTTP/2, follow these steps:

  1. Open or create a local web.conf file in $SPLUNK_HOME/etc/system/local/.
  2. Add the following stanza and settings:
    Note:

    The httpport port must support HTTPS.

    CODE 
    [nghttpx_server]
auto_start = true
httpport = 9000
workers = 1
backendConnectionsPerFrontend = 0
  3. Restart splunkd for the changes to take effect.
To verify that HTTP/2 is active, take one or more of the following actions:

  • Confirm the nghttpx process is running on your host.

  • Check the log file for successful initialization messages in the $SPLUNK_HOME/var/log/nghttpx/ folder.

Troubleshoot HTTP/2 issues with logs

If you encounter issues with Splunk Web connectivity after activating HTTP/2, refer to the log file for the the nghttpx proxy service in the $SPLUNK_HOME/var/log/nghttpx/ folder.

The proxy service logs are ingested into the _internal index. To troubleshoot the service, run the following search:
CODE 
index=_internal sourcetype="nghttpx"

The common HTTP/2 errors may include:

  • Proxy fails to start

    Cause: Usually, an invalid or missing SSL certificate.

    Solution: Ensure Splunk Web SSL is properly configured.

  • Port conflicts

    Cause: Another service is using the port assigned to the nghttpx proxy service.

    Solution: Update the httpport setting in the [nghttpx_server] stanza to an unused port.

Deactivate HTTP/2 and revert to HTTP/1.1

The process of deactivating the HTTP/2 protocol and reverting to HTTP/1.1 is immediate and does not result in data loss.

Take the following steps:

  1. Open your web.conf file.
  2. In the [nghttpx_server] stanza, set auto_start = false or remove the stanza entirely.
  3. Restart splunkd.

Traffic will immediately return to using HTTP/1.1. There is no residual state or temporary data that requires cleaning up.