Splunk Stream test environments
This page describes the various test environments used in Splunk Stream hardware performance tests.
Splunk Stream performance test results show CPU usage and Memory usage of splunkd and streamfwd for HTTP and TCP/UDP traffic over a range of workloads, both with and without SSL. Hardware performance tests are run on the following Splunk Stream features:
Splunk_TA_stream(which contains thestreamfwdbinary) running on a Universal forwarder (UF).- Independent Stream Forwarder (
streamfwdbinary) sending data to indexers via HTTP Event Collector (HEC). - Flow collector.
Splunk_TA_stream(UF) test environmentSplunk_TA_stream (UF) test environment
Splunk_TA_stream (UF) tests were run with workloads up to 1 Gbps maximum. HEC is recommended for higher bandwidth traffic.
Test hardware
CentOS 6.7 (64-bit).
Dual Intel Xeon E5-2650 CPUs (16 2.0Ghz cores; 32 cores total).
164 GB RAM.
streamfwd.confconfigurationstreamfwd.conf configuration
[streamfwd]
ipAddr = 0.0.0.0
logConfig = streamfwdlog.conf
port = 8889
streamfwdcapture.0.interface = eth0
dedicatedCaptureMode = 0
Stream configuration
The universal forwarder runs with the default Stream capture configuration.
Independent Stream Forwarder (HEC) test environment
All independent Stream Forwarder test environments use the same hardware configuration. The only difference in the test setup is the list of streams enabled.
Test hardware
Independent streamfwd tests are run on the following server:
CentOS 6.7 (64-bit).
Dual Intel Xeon E5-2698 v3 CPUs (16 2.3Ghz cores; 32 cores total).
64 GB RAM.
streamfwd.confconfigurationstreamfwd.conf configuration
[streamfwd]
ipAddr = 0.0.0.0
dedicatedCaptureMode = 1
streamfwdcapture.0.interface = 0000:05:00.0
streamfwdcapture.1.interface = 0000:05:00.1
Stream configurations
Independent Stream Forwarder streamfwd (HEC) tests measure performance on four different stream configurations. These configurations determine how much traffic is sent from streamfwd to the indexers, and how deeply the packets are inspected by streamfwd to extract events.
| Configuration | Events forwarded to indexers | Packet inspection level |
|---|---|---|
| Default configuration | Aggregate | Deep |
| HTTP Raw Events | Raw Events | Deep |
| TCP/UDP Raw Events | Raw Events | Shallow |
| TCP/UDP Aggregation | Aggregate | Shallow |
|
} All streams that start with Splunk_* are enabled and all other streams that forward raw events are disabled. The Splunk_* streams create an aggregate of events in various streams so that users can estimate how much indexer capacity will be taken by Stream when they turn on forwarding of various raw events. In this configuration, only http raw events are enabled. However, since HTTP is a level 7 protocol, it must maintain state across packets to create HTTP events of interest. In this configuration, only tcp and udp raw events are enabled. This looks no higher than level 4 of the network stack and so does not need to do deeper analysis, but sends information regarding all the raw packets that it gets. In this configuration, we calculate the number of bytes transferred for each source IP address (src_ip) for TCP and UDP protocols. The aggregation is calculated every 30 seconds. This looks no higher than level 4 of the network stack so deeper analysis is not required. The NetFlow collector tests are run on the following server: For Flow collector test results and methodology, see Flow collector test results in this manual. |
Default configuration
HTTP raw events
TCP/UDP raw events
TCP/UDP aggregation
Flow collector test environment
Test hardware
The NetFlow collector tests are run on the following server:
CentOS 6.7 (64-bit).
Dual Intel Xeon E5-2698 v3 CPUs (16 2.3Ghz cores; 32 cores total).
64 GB RAM
streamfwd.conf configuration
[streamfwd]
ipAddr = 0.0.0.0
processingThreads = 4
dedicatedCaptureMode = 0
httpRequestSenderThreads = 4
httpRequestSenderConnections = 40
netflowReceiver.0.port = 9996
netflowReceiver.0.protocol = udp
netflowReceiver.0.decoder = netflow
netflowReceiver.0.ip = 172.18.1.4
netflowReceiver.0.decodingThreads = 32