Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a user count cap?

andywins
Explorer
‎10-24-2013 12:02 PM

Can Splunk handle 60k users?

Scenario:

  • Using external authentication via python script
  • Python methods using ODBC to query users from a database table
  • Splunk 6.0
  • Fast hardware
  • Fresh install, very little data, only using "main" index
  • Only one custom role (not 60k roles)

Problems (while logged in as Administrator):

  • Getting to the role management page takes ~20 seconds to load. Same goes for saving any changes.
  • Bringing up the role management page (and users management page) kicks off 60k "getUserInfo" requests. Several complete per second but each time it's called, it's hitting my table. Why can't Splunk just call "getUsers" instead? This process won't finish for hours.

Problems (while logged in as a user from my database)

  • The default search app never finishes loading, therefore no searching can take place. The same goes for reports/dashboards. I don't get a timeout message and I've not added any search filters that would hide data from this user.

Why is Splunk choking on this authentication configuration? Would it run differently with 60k users under an LDAP configuration?

Reply

andywins
Explorer
‎10-24-2013 03:10 PM

I believe sql server was piping unicode characters over to Splunk which may have broken down after Python tried to print those characters via stdout. The following strips down to ascii characters:

out = "".join(i for i in row.responseFromSQL if ord(i)<128)

After this change, I've been unable to recreate the problem. Users can now navigate the search app.

On a side note, getUserInfo is still being called roughly 10 times each second after an Admin brings up the roles page. I consider that a bug as I'm sure my DBA will not be thrilled.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...