I'm setting up an instance of logstash that will be receiving CEF events from tcp port. I'm expecting it to be able to get up to 10k EPS but its only getting to around 2k on the input.
What should i do?
i'm on a 8core 16gb VM, logstash running on docker with 4gb heap set to it
Hi
Could you share your logstash.conf file?
Bye
Franco
There is sensitive information on the filter and output so the most i can share the input
input{
tcp{
port => 5144
codec => cef . {
delimiter => "\r\n"
raw_data_field => raw_data_field
}
}
}
I notice the Input EPS is pretty low, When i'm using flume i can easily get up to 10k.
I noticed that without the cef parser i can go up to 15k eps.
Wondering anything i can tune on the cef or ruby side?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.