- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- High CPU and memory usage with ESS (Enterprise Sec...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am experiencing high CPU and memory usage with ESS. In some case, the resource usage is high enough to cause Splunk to crash. How can I fix this issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Synopsis:
Adding the notable index to the "Indexes searched by default" may cause correlation searches to enter a feedback loop that causes excessive resource usage.
Description:
This issue can be caused when the the notable index is indexes to be searched by default. In particular, this causes some of the ESS's correlation searches to trigger on their own findings since correlation searches included information about what originally triggered them in the notable index. Adding the notable index to the default searches indexes causes correlation searches to re-detect another finding based on the content of a prevous correlation search firing.
Solution:
The solution is to remove the notable index from the list of indexes to be searched by default.
Fixing via the CLI:
To fix the issue via the CLI, open or create the file $SPLUNK_HOME/etc/system/local/authorize.conf and change the "srchIndexesDefault" parameter for each role to exclude the notable index. Below is a sample config:
[role_admin]
srchIndexesDefault = main
Fixing via the GUI:
To fix the misconfiguration through the SplunkWeb interface use the steps defined below:
- Open the Manager (through the link in the top right of SplunkWeb)
- Open the configuration page for user roles by navigating to: Manager » Access controls » Roles
- For each role: remove "notable" from the "Indexes searched by default" option
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Synopsis:
Adding the notable index to the "Indexes searched by default" may cause correlation searches to enter a feedback loop that causes excessive resource usage.
Description:
This issue can be caused when the the notable index is indexes to be searched by default. In particular, this causes some of the ESS's correlation searches to trigger on their own findings since correlation searches included information about what originally triggered them in the notable index. Adding the notable index to the default searches indexes causes correlation searches to re-detect another finding based on the content of a prevous correlation search firing.
Solution:
The solution is to remove the notable index from the list of indexes to be searched by default.
Fixing via the CLI:
To fix the issue via the CLI, open or create the file $SPLUNK_HOME/etc/system/local/authorize.conf and change the "srchIndexesDefault" parameter for each role to exclude the notable index. Below is a sample config:
[role_admin]
srchIndexesDefault = main
Fixing via the GUI:
To fix the misconfiguration through the SplunkWeb interface use the steps defined below:
- Open the Manager (through the link in the top right of SplunkWeb)
- Open the configuration page for user roles by navigating to: Manager » Access controls » Roles
- For each role: remove "notable" from the "Indexes searched by default" option
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved it for me!
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
