Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

High CPU and memory usage with ESS (Enterprise Security Suite)

LukeMurphey
Champion
‎05-10-2011 02:56 PM

I am experiencing high CPU and memory usage with ESS. In some case, the resource usage is high enough to cause Splunk to crash. How can I fix this issue?

Reply
1 Solution
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎05-10-2011 02:59 PM

Synopsis:

Adding the notable index to the "Indexes searched by default" may cause correlation searches to enter a feedback loop that causes excessive resource usage.

Description:

This issue can be caused when the the notable index is indexes to be searched by default. In particular, this causes some of the ESS's correlation searches to trigger on their own findings since correlation searches included information about what originally triggered them in the notable index. Adding the notable index to the default searches indexes causes correlation searches to re-detect another finding based on the content of a prevous correlation search firing.

Solution:

The solution is to remove the notable index from the list of indexes to be searched by default.

Fixing via the CLI:

To fix the issue via the CLI, open or create the file $SPLUNK_HOME/etc/system/local/authorize.conf and change the "srchIndexesDefault" parameter for each role to exclude the notable index. Below is a sample config:

[role_admin]
srchIndexesDefault = main

Fixing via the GUI:

To fix the misconfiguration through the SplunkWeb interface use the steps defined below:

  1. Open the Manager (through the link in the top right of SplunkWeb)
  2. Open the configuration page for user roles by navigating to: Manager » Access controls » Roles
  3. For each role: remove "notable" from the "Indexes searched by default" option

View solution in original post

Reply
Solved! Jump to solution
Solution

LukeMurphey
Champion
‎05-10-2011 02:59 PM

Synopsis:

Adding the notable index to the "Indexes searched by default" may cause correlation searches to enter a feedback loop that causes excessive resource usage.

Description:

This issue can be caused when the the notable index is indexes to be searched by default. In particular, this causes some of the ESS's correlation searches to trigger on their own findings since correlation searches included information about what originally triggered them in the notable index. Adding the notable index to the default searches indexes causes correlation searches to re-detect another finding based on the content of a prevous correlation search firing.

Solution:

The solution is to remove the notable index from the list of indexes to be searched by default.

Fixing via the CLI:

To fix the issue via the CLI, open or create the file $SPLUNK_HOME/etc/system/local/authorize.conf and change the "srchIndexesDefault" parameter for each role to exclude the notable index. Below is a sample config:

[role_admin]
srchIndexesDefault = main

Fixing via the GUI:

To fix the misconfiguration through the SplunkWeb interface use the steps defined below:

  1. Open the Manager (through the link in the top right of SplunkWeb)
  2. Open the configuration page for user roles by navigating to: Manager » Access controls » Roles
  3. For each role: remove "notable" from the "Indexes searched by default" option
Reply
Solved! Jump to solution

rroberts
Splunk Employee
Splunk Employee
‎11-30-2011 08:27 AM

Solved it for me!

0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...