Packetbeat dropping transactions when attempting to split http requests and responses into seperate transactions


We are currently trying to do a full trace of all request and response XML payloads across an application. Packetbeat is able to get all transactions across the port specified when the transaction timeout is greater than the expected response time. However we need to have the request and response logged as separate transactions. According to the docs, if the transaction timeout is less than the response time, they will be logged a separate events. We have set up packetbeat to able to grab a unique header generated by a load balancer and use it as a key in Kafka output to match up request and responses.

However, Packetbeat is only able to get around 80% of the transactions, with no errors in the logs and elasticsearch monitoring does not show any transactions dropped or failed.
We have tried increasing the interface.buffer size, interface.snaplen size, max queue size, queue flush timeout but the results are pretty much the same.

Is there a potential bug where not all transactions are published when the transaction timeout is breached or some setting the only allows are certain amount of transactions through when the timeout is breached.

Please see config for network interface, http protocol and kafka output config. We are using packetbeat version 7.3.0

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.