Reuse of Open HTTP Connections
This article explains how the uberAgent endpoint agent handles open HTTP connections.
uberAgent makes use of HTTP(S) to send the collected data from the endpoint to some types of backends, for example, Splunk HEC, Elasticsearch, or Apache Kafka (via Confluent REST Proxy).
All HTTP(S) communication initiated by uberAgent is performed through libcurl (a variant of curl), which is probably the highest-quality networking library available today.
Libcurl automatically caches and reuses HTTP(S) connections. As the documentation states:
Reusing a connection instead of creating a new one offers significant benefits in speed and required resources.
For an HTTP connection to be reused, both server and client must support and enable HTTP/1.1.
In its default configuration, Splunk’s HTTP Event Collector (HEC) only enables HTTP/1.1 if the client sends a user agent string. uberAgent does that starting with version 6.0 beta 2.
We recommend configuring Splunk to always enable HTTP/1.1 for all versions of uberAgent by setting the following in the HEC’s inputs.conf file, located in
forceHttp10 = never
uberAgent can be configured with multiple servers per receiver. When there is more than one server per receiver, uberAgent randomly switches between servers every 100 seconds. If a server does not respond, uberAgent fails over to the next server in the list. This algorithm ensures that the load is distributed evenly between backend servers.