![]() ![]() Streaming data doesn’t rely on this mechanism, so any API rate limits don’t apply in the same way. However, many APIs have or may enforce rate limits if they are accessed too frequently. Avoids API limits: In order to reduce the delay associated with an API pull, it may be tempting to increase the frequency of these checks to get the data faster. ![]() This means there will always be at least some delay in getting data, depending on how often the polling happens. A polling method runs on a scheduled interval, checking for new data in a queue on a regular basis. Provides close to real-time ingestion: Streaming data can be received by Splunk as soon as it is created, which makes it available for searching much faster.This is for a couple of different reasons. Using HEC is advantageous to your data ingestion experience because using a streaming mechanism will be better than using a polling method. I’ve covered some of the benefits of using HEC near the end of my 2019 nf talk, Administrators Anonymous: Splunk Best Practices and Useful Tricks I Learned the Hard Way, available here for your viewing pleasure. Generally, if HEC is an available option, it is the best one to use. In some cases, you may have the option of using HEC or an API pull on a heavy forwarder to collect data, such as for Amazon Web Services (AWS). These include many types of cloud services and applications, as well as custom applications that can do logging via a web POST request. The Splunk HTTP Event Collector (HEC) is a great mechanism for receiving streaming data from a variety of sources where it may not be practical to use another collection mechanism, such as monitoring a log file. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |