Admin BEWARE! (index=* w/ accelerated datamodels)

jtrujillo · ‎03-12-2019

This app should be index=f5-* by default rather than index=*. If the default on the iApp side is f5-* .... just use that please.

This is a VERY DANGEROUS app to put into a production environment.

Please be aware that this could negatively impact your environment if installed in a vanilla state.

Owner, I can/will/want to take this down if the app is reconfigured to have a default of index=f5-*

Also, please disable the DM acceleration by default.

awillcox · ‎05-21-2020

I wish I would have seen this earlier. We've been having performance issues with our system for months and they finally alleviated themselves once we disabled the this app from Splunk among other things. Considering the poor results I'm getting from trying to rely on Syslog, I may end up re-implementing this iApp.

gjanders · ‎05-21-2020

Alerts for Splunk Admins has some alerts around this but not sure if I covered data models or not 🙂
Beware of all time data models as well

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

gjanders · ‎03-12-2019

I believe this is part of a larger problem that Splunk does not publish a best practice list for the apps.

The app inspect program is the closest that is available currently and it does do various checks for "best practice", this app does not have the app inspect badge

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

Admin BEWARE! (index=* w/ accelerated datamodels)

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?