uberAgent

Reuse of Open HTTP Connections

This article explains how the uberAgent endpoint agent handles open HTTP connections.

Where HTTP is Used

uberAgent makes use of HTTP(S) to send the collected data from the endpoint to some types of backends, for example, Splunk HEC, Elasticsearch, or Apache Kafka (via Confluent REST Proxy).

HTTP Connection Reuse

All HTTP(S) communication initiated by uberAgent is performed through libcurl (a variant of curl), which is probably the highest-quality networking library available today.

Libcurl automatically caches and reuses HTTP(S) connections. As the documentation states:

Reusing a connection instead of creating a new one offers significant benefits in speed and required resources.

Requirements for HTTP Connection Reuse

For an HTTP connection to be reused, both server and client must support and enable HTTP/1.1.

Splunk HTTP Event Collector (HEC)

In its default configuration, Splunk’s HTTP Event Collector (HEC) only enables HTTP/1.1 if the client sends a user agent string. uberAgent does that starting with version 6.0 beta 2.

We recommend configuring Splunk to always enable HTTP/1.1 for all versions of uberAgent by setting the following in the HEC’s inputs.conf file, located in $SPLUNK_HOME/etc/apps/splunk_httpinput/local:

[http]
forceHttp10 = never
<!--NeedCopy-->

Server Failover and Load-Balancing

uberAgent can be configured with multiple servers per receiver. When there is more than one server per receiver, uberAgent randomly switches between servers every 100 seconds. If a server does not respond, uberAgent fails over to the next server in the list. This algorithm ensures that the load is distributed evenly between backend servers.

Reuse of Open HTTP Connections