All Apps and Add-ons

Why is enabling Cisco ACI App for Splunk Enterprise creating a huge load on the APIC?

New Member

Cisco ACI APP for Splunk, when I enable this collection, it creates a huge load on the APIC.

[script://$SPLUNK_HOME/etc/apps/TA_cisco-ACI/bin/ -classInfo aaaModLR faultRecord eventRecord]

I have attempted to widen the interval, but it just reduces the number of times the load happens. The APIC is almost unusable while this collection is happening.  I removed these one at a time, and it appears to be the poll of the eventRecord that is causing the drag on the APIC. I thought Splunk would only pull in the new information since the last poll, but that does not appear to be what is actually happening.  Is this expected? Is there a way to remedy this issue?

Labels (2)
Tags (3)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...