Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a user count cap?

andywins
Explorer
‎10-24-2013 12:02 PM

Can Splunk handle 60k users?

Scenario:

  • Using external authentication via python script
  • Python methods using ODBC to query users from a database table
  • Splunk 6.0
  • Fast hardware
  • Fresh install, very little data, only using "main" index
  • Only one custom role (not 60k roles)

Problems (while logged in as Administrator):

  • Getting to the role management page takes ~20 seconds to load. Same goes for saving any changes.
  • Bringing up the role management page (and users management page) kicks off 60k "getUserInfo" requests. Several complete per second but each time it's called, it's hitting my table. Why can't Splunk just call "getUsers" instead? This process won't finish for hours.

Problems (while logged in as a user from my database)

  • The default search app never finishes loading, therefore no searching can take place. The same goes for reports/dashboards. I don't get a timeout message and I've not added any search filters that would hide data from this user.

Why is Splunk choking on this authentication configuration? Would it run differently with 60k users under an LDAP configuration?

Reply

andywins
Explorer
‎10-24-2013 03:10 PM

I believe sql server was piping unicode characters over to Splunk which may have broken down after Python tried to print those characters via stdout. The following strips down to ascii characters:

out = "".join(i for i in row.responseFromSQL if ord(i)<128)

After this change, I've been unable to recreate the problem. Users can now navigate the search app.

On a side note, getUserInfo is still being called roughly 10 times each second after an Admin brings up the roles page. I consider that a bug as I'm sure my DBA will not be thrilled.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise Security 8.0!

Join us on Wednesday, November 20 to learn about Splunk Enterprise Security 8.0!To enhance SOC efficiency, ...

Mastering Threat Hunting

Register to watch Mastering Threat Hunting on Monday, November 18Join us for an insightful talk where we dive ...

Upcoming Community Maintenance: 10/28

Howdy folks, just popping in to let you know that the Splunk Community site will be in read-only mode ...