Getting Data In

Symantec 14.0 and Splunk 7.0.0 (splunkd) not playing well together

Path Finder

Good afternoon,
I have a problem with Symantec 14.0 and splunk 7 Universal Forwarder not playing well together. Whenever the forwarder is running, Symantic use goes to 99% for every 10 seconds out of 60. This has killed our performance on the production servers. Let me know what information you might need and I can post it. Thank you!

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi aoleske,

please read the docs about Splunk Enterprise and anti-virus products http://docs.splunk.com/Documentation/Splunk/7.0.0/ReleaseNotes/RunningSplunkalongsideWindowsantiviru... and the recommendations in it.

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Hi aoleske,

please read the docs about Splunk Enterprise and anti-virus products http://docs.splunk.com/Documentation/Splunk/7.0.0/ReleaseNotes/RunningSplunkalongsideWindowsantiviru... and the recommendations in it.

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

Path Finder

I forgot to come back and accept the answer. Thanks for the reminder! 🙂 this took care of the issue.
We are seeing the issue with Splunk 6.X and 7.X where we are running Symantec 14.X. We are not seeing the issue where we are running Symantec 12.X, but your mileage may vary. After reading the doc MuS pointed us to, we made an exception for the $SPLUNK_HOME dir in Symantec and the CPU load has returned to normal. Thanks MuS!

0 Karma

Splunk Employee
Splunk Employee

Hey @aoleske, if this answered your question, please remember to "√Accept" the answer to award karma points and to let other Splunkers know it’s a golden answer. We’re hosting a karma point contest, so it’s particularly awesome to up vote on the forum these days. 😄

0 Karma

Path Finder

we are seeing these symptoms on servers with no add-ons and only the splunk internal logs being collected. This is a basic install of the UF with only defaults used (Except for defining our splunk server name). We are using the default ports of 9997 and 8089. We are running as local system. The deployment server sees the client, and we are collecting splunk internal logs, so all appears to be running correctly.

0 Karma

Path Finder

This is Symantec End Point Protection, not the add-on.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!