Security

Is there a user count cap?

andywins
Explorer

Can Splunk handle 60k users?

Scenario:

  • Using external authentication via python script
  • Python methods using ODBC to query users from a database table
  • Splunk 6.0
  • Fast hardware
  • Fresh install, very little data, only using "main" index
  • Only one custom role (not 60k roles)

Problems (while logged in as Administrator):

  • Getting to the role management page takes ~20 seconds to load. Same goes for saving any changes.
  • Bringing up the role management page (and users management page) kicks off 60k "getUserInfo" requests. Several complete per second but each time it's called, it's hitting my table. Why can't Splunk just call "getUsers" instead? This process won't finish for hours.

Problems (while logged in as a user from my database)

  • The default search app never finishes loading, therefore no searching can take place. The same goes for reports/dashboards. I don't get a timeout message and I've not added any search filters that would hide data from this user.

Why is Splunk choking on this authentication configuration? Would it run differently with 60k users under an LDAP configuration?

andywins
Explorer

I believe sql server was piping unicode characters over to Splunk which may have broken down after Python tried to print those characters via stdout. The following strips down to ascii characters:

out = "".join(i for i in row.responseFromSQL if ord(i)<128)

After this change, I've been unable to recreate the problem. Users can now navigate the search app.

On a side note, getUserInfo is still being called roughly 10 times each second after an Admin brings up the roles page. I consider that a bug as I'm sure my DBA will not be thrilled.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...