Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a user count cap?

andywins
Explorer
‎10-24-2013 12:02 PM

Can Splunk handle 60k users?

Scenario:

  • Using external authentication via python script
  • Python methods using ODBC to query users from a database table
  • Splunk 6.0
  • Fast hardware
  • Fresh install, very little data, only using "main" index
  • Only one custom role (not 60k roles)

Problems (while logged in as Administrator):

  • Getting to the role management page takes ~20 seconds to load. Same goes for saving any changes.
  • Bringing up the role management page (and users management page) kicks off 60k "getUserInfo" requests. Several complete per second but each time it's called, it's hitting my table. Why can't Splunk just call "getUsers" instead? This process won't finish for hours.

Problems (while logged in as a user from my database)

  • The default search app never finishes loading, therefore no searching can take place. The same goes for reports/dashboards. I don't get a timeout message and I've not added any search filters that would hide data from this user.

Why is Splunk choking on this authentication configuration? Would it run differently with 60k users under an LDAP configuration?

Reply

andywins
Explorer
‎10-24-2013 03:10 PM

I believe sql server was piping unicode characters over to Splunk which may have broken down after Python tried to print those characters via stdout. The following strips down to ascii characters:

out = "".join(i for i in row.responseFromSQL if ord(i)<128)

After this change, I've been unable to recreate the problem. Users can now navigate the search app.

On a side note, getUserInfo is still being called roughly 10 times each second after an Admin brings up the roles page. I consider that a bug as I'm sure my DBA will not be thrilled.

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...