Just an update on my end on this.  An upgrade fixed the problem. I think it was related to a setting around sslCompression internally in Splunk that looks to have been the issue. The new version 8.2.2 has this setting set to false, it was true in the old version we ran (8.1.3).   In server.conf on both search heads (search head cluster) and indexeres (indexer cluster): [sslConfig] useClientSSLCompression = false   I saw that this fixed the same problems on another customer on 8.1.4 (I think).   useClientSSLCompression is default true in older versions, it is false on the new.   If you run older versions of splunk and search head cluster (I have not seen it on single search head and indexer cluster) - you could try the above to see if that works.   Regards André ... View more

Hello, as far as we could investigate, only dbconnect is giving problems (fetching 4x times the data, instead of doing only one fetch from the database). Note, as I said, that this problem started two days ago after this system has been working for years without problems. Noone seems to have touched the configuration, though. Thanks ... View more