Getting Data In

Symantec 14.0 and Splunk 7.0.0 (splunkd) not playing well together

aoleske
Path Finder

Good afternoon,
I have a problem with Symantec 14.0 and splunk 7 Universal Forwarder not playing well together. Whenever the forwarder is running, Symantic use goes to 99% for every 10 seconds out of 60. This has killed our performance on the production servers. Let me know what information you might need and I can post it. Thank you!

0 Karma
1 Solution

MuS
Legend

Hi aoleske,

please read the docs about Splunk Enterprise and anti-virus products http://docs.splunk.com/Documentation/Splunk/7.0.0/ReleaseNotes/RunningSplunkalongsideWindowsantiviru... and the recommendations in it.

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

MuS
Legend

Hi aoleske,

please read the docs about Splunk Enterprise and anti-virus products http://docs.splunk.com/Documentation/Splunk/7.0.0/ReleaseNotes/RunningSplunkalongsideWindowsantiviru... and the recommendations in it.

Hope this helps ...

cheers, MuS

0 Karma

aoleske
Path Finder

I forgot to come back and accept the answer. Thanks for the reminder! 🙂 this took care of the issue.
We are seeing the issue with Splunk 6.X and 7.X where we are running Symantec 14.X. We are not seeing the issue where we are running Symantec 12.X, but your mileage may vary. After reading the doc MuS pointed us to, we made an exception for the $SPLUNK_HOME dir in Symantec and the CPU load has returned to normal. Thanks MuS!

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @aoleske, if this answered your question, please remember to "√Accept" the answer to award karma points and to let other Splunkers know it’s a golden answer. We’re hosting a karma point contest, so it’s particularly awesome to up vote on the forum these days. 😄

0 Karma

aoleske
Path Finder

we are seeing these symptoms on servers with no add-ons and only the splunk internal logs being collected. This is a basic install of the UF with only defaults used (Except for defining our splunk server name). We are using the default ports of 9997 and 8089. We are running as local system. The deployment server sees the client, and we are collecting splunk internal logs, so all appears to be running correctly.

0 Karma

aoleske
Path Finder

This is Symantec End Point Protection, not the add-on.

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...