Splunk® App for PCI Compliance

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.

Troubleshoot your deployment

This section provides tips for troubleshooting possible issues with your Splunk App for PCI Compliance deployment.

Other required apps

Splunk platform implements some of its functionality through separate apps. Do not disable any of these apps:

  • learned
  • search
  • launcher
  • user-prefs

General performance

Where appropriate, you can improve performance of the Splunk App for PCI Compliance and reduce hardware requirements by limiting the indexes used by the app.

If the Splunk App for PCI Compliance is limited to a subset of indexes, all of the indexes it searches require admin access, as described in Set up multiple indexes in Managing Indexers and Clusters of Indexers.

By default the search head searches the "main" index.

Measuring system performance

You can use IOZone on Windows to measure system performance. IOzone will output the data in IOPS if the "-O" argument is specified.

Below is an example of IOzone invocation to store results in an Excel spreadsheet with IOPS:

iozone -s 4g -r 2k -r 4k -r 8k -r 16k -r 32k -O -b results.xls

Performance on UNIX systems

The search head that is hosting the Splunk App for PCI Compliance should be configured for high performance. UNIX systems should check the ulimit setting in particular, as this can artificially limit the operating system's capacity.

Other performance impacts include the Linux swappiness setting. Consult with your UNIX systems administrator for high performance build recommendations.

Other troubleshooting tips

  • Verify that you have the minimum version of Splunk Enterprise installed. See Install Prerequisites in this manual for more information.
  • Disable other apps on the search head you are using for the Splunk App for PCI Compliance. If you are using Splunk add-ons for Cisco, disable the saved searches. See the FAQ for details.
  • If you upgrade to PCI 4.4.0 and your notable events are no longer showing up, make sure the correlation searches that are relevant to your use cases for PCI are enabled and recreate the notable events. See Enable correlation searches and Create a notable event.
Last modified on 10 November, 2020
Upgrade the Splunk App for PCI Compliance   FAQ

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.8.0, 3.8.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.3.0, 4.4.0, 4.4.1, 4.5.0 Cloud only, 4.6.0, 4.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters