Solved: Splunk REST interface slow

DavidHourani · ‎07-21-2019

Hi splunkers,

Im running a multisite clustered environment with SH clustering. When I'm on any SH running searches everything runs perfectly fine except when I try to run a REST command then it runs very slow. For example the search below even running locally takes ages when trying to hit any endpoint:

| rest /servicesNS/..... splunk_server=local

Any idea what could cause the rest endpoint to give slow results ? Has anyone had similar issues ? Splunk is running in the cloud..

Update: Same configuration seams to be working on prem with no problem. What could cause such slowness on AWS ?

DavidHourani · ‎11-04-2019

Heavy load on LDAP auth requests was the source of the issue.

View solution in original post

DavidHourani · ‎11-04-2019

Heavy load on LDAP auth requests was the source of the issue.

effem · ‎11-05-2019

It basically was the way Splunk handles LDAP-Requests in Combination with 40ms more delay per request.
Having Splunk doing 1000 requests per minute isn't expensive, when the delay is under a ms. But over the internet it becomes significant and draws lots of CPU Time.

wmyersas · ‎10-17-2019

My guess is that this is related to what endpoints have been configured to allow rest calls - https://docs.splunk.com/Documentation/Splunk/7.3.2/Admin/Restmapconf

Splunk REST interface slow

Improve Your Security Posture

Maximize the Value from Microsoft Defender with Splunk

This Week's Community Digest - Splunk Community Happenings [6.27.22]