All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

eStreamer CPU usage

Brandon_ganem1
Path Finder
‎03-27-2014 09:39 AM

I'm attempting to log RNA flows with the eStreamer app, but it looks like the eStreamer client cannot keep up with the amount of data sent. Would it be possible to thread the app or setup multiple collections, with one going after IPS events, one after RNA events?

Alternatively, it looks like i will have to turn down the amount of logging I do to only include security intel feeds (and maybe a few other access policy rules). I like the idea of being able to go back and search any connection that has gone through the IPS.

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cgrady_sf
Path Finder
‎03-28-2014 08:22 AM

Brandon,

Yeah I knew with flow collection that the sheer volume would be a problem, part of the reason the Settings screen warns about latency. Also part of the reason I didn't support it initially. In any case, I'll certainly be looking at ways to improve performance moving forward and threading is likely one of those ways. Thanks for the feedback.

Colin

View solution in original post

Reply
Solved! Jump to solution

cgrady_sf
Path Finder
‎04-04-2014 12:59 PM

Brandon,

The just released 2.1 version now pushes connection log collection into a separate process to improve collection and processing times and to reduce the possibility of introducing latency into intrusion and other events. I strongly suggest you give the new version a shot -- and please feel free to reach out with any feedback you may have.

Thank you!
Colin

0 Karma
Reply
Solved! Jump to solution
Solution

cgrady_sf
Path Finder
‎03-28-2014 08:22 AM

Brandon,

Yeah I knew with flow collection that the sheer volume would be a problem, part of the reason the Settings screen warns about latency. Also part of the reason I didn't support it initially. In any case, I'll certainly be looking at ways to improve performance moving forward and threading is likely one of those ways. Thanks for the feedback.

Colin

Reply
Solved! Jump to solution

Brandon_ganem1
Path Finder
‎03-28-2014 08:32 AM

Thanks! Its a huge step forward having the ability to collect these logs, it just means i have to reduce what is logged at the defense center level. Not a huge deal.

Being able to get Security intel blocks and any other access policy blocks is a real big improvement.

Thanks for the work you guys put in on this!

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...