Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: eStreamer CPU usage
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm attempting to log RNA flows with the eStreamer app, but it looks like the eStreamer client cannot keep up with the amount of data sent. Would it be possible to thread the app or setup multiple collections, with one going after IPS events, one after RNA events?
Alternatively, it looks like i will have to turn down the amount of logging I do to only include security intel feeds (and maybe a few other access policy rules). I like the idea of being able to go back and search any connection that has gone through the IPS.
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Brandon,
Yeah I knew with flow collection that the sheer volume would be a problem, part of the reason the Settings screen warns about latency. Also part of the reason I didn't support it initially. In any case, I'll certainly be looking at ways to improve performance moving forward and threading is likely one of those ways. Thanks for the feedback.
Colin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Brandon,
The just released 2.1 version now pushes connection log collection into a separate process to improve collection and processing times and to reduce the possibility of introducing latency into intrusion and other events. I strongly suggest you give the new version a shot -- and please feel free to reach out with any feedback you may have.
Thank you!
Colin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Brandon,
Yeah I knew with flow collection that the sheer volume would be a problem, part of the reason the Settings screen warns about latency. Also part of the reason I didn't support it initially. In any case, I'll certainly be looking at ways to improve performance moving forward and threading is likely one of those ways. Thanks for the feedback.
Colin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! Its a huge step forward having the ability to collect these logs, it just means i have to reduce what is logged at the defense center level. Not a huge deal.
Being able to get Security intel blocks and any other access policy blocks is a real big improvement.
Thanks for the work you guys put in on this!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
