Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk REST interface slow

DavidHourani
Super Champion
‎07-21-2019 01:37 PM

Hi splunkers,

Im running a multisite clustered environment with SH clustering. When I'm on any SH running searches everything runs perfectly fine except when I try to run a REST command then it runs very slow. For example the search below even running locally takes ages when trying to hit any endpoint:

| rest /servicesNS/..... splunk_server=local

Any idea what could cause the rest endpoint to give slow results ? Has anyone had similar issues ? Splunk is running in the cloud..

Update: Same configuration seams to be working on prem with no problem. What could cause such slowness on AWS ?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎11-04-2019 11:15 PM

Heavy load on LDAP auth requests was the source of the issue.

View solution in original post

Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎11-04-2019 11:15 PM

Heavy load on LDAP auth requests was the source of the issue.

Reply
Solved! Jump to solution

effem
Communicator
‎11-05-2019 04:47 AM

It basically was the way Splunk handles LDAP-Requests in Combination with 40ms more delay per request.
Having Splunk doing 1000 requests per minute isn't expensive, when the delay is under a ms. But over the internet it becomes significant and draws lots of CPU Time.

0 Karma
Reply
Solved! Jump to solution

wmyersas
Builder
‎10-17-2019 12:02 PM

My guess is that this is related to what endpoints have been configured to allow rest calls - https://docs.splunk.com/Documentation/Splunk/7.3.2/Admin/Restmapconf

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...