Getting Data In

Symantec 14.0 and Splunk 7.0.0 (splunkd) not playing well together

aoleske
Path Finder

Good afternoon,
I have a problem with Symantec 14.0 and splunk 7 Universal Forwarder not playing well together. Whenever the forwarder is running, Symantic use goes to 99% for every 10 seconds out of 60. This has killed our performance on the production servers. Let me know what information you might need and I can post it. Thank you!

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi aoleske,

please read the docs about Splunk Enterprise and anti-virus products http://docs.splunk.com/Documentation/Splunk/7.0.0/ReleaseNotes/RunningSplunkalongsideWindowsantiviru... and the recommendations in it.

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi aoleske,

please read the docs about Splunk Enterprise and anti-virus products http://docs.splunk.com/Documentation/Splunk/7.0.0/ReleaseNotes/RunningSplunkalongsideWindowsantiviru... and the recommendations in it.

Hope this helps ...

cheers, MuS

0 Karma

aoleske
Path Finder

I forgot to come back and accept the answer. Thanks for the reminder! 🙂 this took care of the issue.
We are seeing the issue with Splunk 6.X and 7.X where we are running Symantec 14.X. We are not seeing the issue where we are running Symantec 12.X, but your mileage may vary. After reading the doc MuS pointed us to, we made an exception for the $SPLUNK_HOME dir in Symantec and the CPU load has returned to normal. Thanks MuS!

0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @aoleske, if this answered your question, please remember to "√Accept" the answer to award karma points and to let other Splunkers know it’s a golden answer. We’re hosting a karma point contest, so it’s particularly awesome to up vote on the forum these days. 😄

0 Karma

aoleske
Path Finder

we are seeing these symptoms on servers with no add-ons and only the splunk internal logs being collected. This is a basic install of the UF with only defaults used (Except for defining our splunk server name). We are using the default ports of 9997 and 8089. We are running as local system. The deployment server sees the client, and we are collecting splunk internal logs, so all appears to be running correctly.

0 Karma

aoleske
Path Finder

This is Symantec End Point Protection, not the add-on.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...