Splunk® Enterprise

Release Notes

Download manual as PDF

Download topic as PDF

Splunk Enterprise and anti-virus products

Splunk requires ample disk I/O bandwidth to perform indexing tasks. In particular, disk write operations are very intensive. These disk writes can clash with any product - such as anti-virus on-access scan software - that installs a driver that intermediates between Splunk and the operating system.

When you run Splunk (Enterprise or forwarder) on a host that has an anti-virus product (such as McAfee VirusScan on Windows or Trend Micro ServerProtect on Linux) installed, Splunk strongly recommends that you exclude all Splunk processes as well as the Splunk installation directory from any kind of on-access scanning.

On Windows hosts, on-access scanners can significantly decrease performance. On *nix hosts, these scanners can use up file descriptors and render a host completely inaccessible.

Files and processes to exclude

The following table gives you a list of the Splunk directories and executables you should exclude from anti-virus scanning on a Windows host.

Version: Directories to exclude: Processes to exclude:
Splunk Enterprise (Windows)

\Program Files\Splunk (%SPLUNK_HOME%) and all sub-directories
\Program Files\Splunk\var\lib\splunk (%SPLUNK_DB%) and all sub-directories

  • splunk-admon.exe
  • splunk-compresstool.exe
  • splunk-MonitorNoHandle.exe
  • splunk-netmon.exe
  • splunk-optimize-lex.exe
  • splunk-optimize.exe
  • splunk-perfmon.exe
  • splunk-regmon.exe
  • splunk-winevtlog.exe
  • splunk-winhostinfo.exe
  • splunk-winprintmon.exe
  • splunk-wmi.exe
  • splunk.exe
  • splunkd.exe
  • splunkweb.exe
Splunk universal forwarder (Windows)

\Program Files\SplunkUniversalForwarder (%SPLUNK_HOME%) and all subdirectories

  • splunk-admon.exe
  • splunk-compresstool.exe
  • splunk-MonitorNoHandle.exe
  • splunk-netmon.exe
  • splunk-optimize-lex.exe
  • splunk-optimize.exe
  • splunk-perfmon.exe
  • splunk-regmon.exe
  • splunk-winevtlog.exe
  • splunk-winhostinfo.exe
  • splunk-winprintmon.exe
  • splunk-wmi.exe
  • splunk.exe
  • splunkd.exe
Splunk Enterprise (*nix)

/opt/splunk ($SPLUNK_HOME) and all sub-directories
/opt/splunk/var/lib/splunk ($SPLUNK_DB) and all sub-directories
OS X: /Applications/splunkforwarder and all sub-directories

  • bloom
  • btool
  • btprobe
  • bzip2
  • cherryd
  • classify
  • exporttool
  • locktest
  • locktool
  • node
  • python*
  • splunk
  • splunkd
  • splunkmon
  • tsidxprobe
  • tsidxprobe_plo
  • walklex
Splunk universal forwarder (*nix)

/opt/splunkforwarder ($SPLUNK_HOME) and all subdirectories
OS X: /Applications/splunkforwarder

Same as Splunk Enterprise (*nix)

Other items to exclude

If you run a Splunk app or add-on on your Splunk Enterprise instance or forwarder, exclude any executables that might come with the app or add-on. An example is the Splunk Add-on for PowerShell - this modular input comes with an executable named powershell.exe that should also be excluded from anti-virus scans when it runs.

In general, any file associated with Splunk that can be executed should be excluded from scanning. You might need to inspect additional files in apps or add-ons to determine whether or not they qualify.

PREVIOUS
Known issues
  NEXT
Workaround for network accessibility issues on Splunk Windows systems under certain conditions

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters