Troubleshoot adaptive response relays from Splunk Cloud Platform Enterprise Security search head to an on-premises device
Issue
Performance issues might occur with the Common Action Model (CAM) queue when running the adaptive response modular input.
Cause
The adaptive response modular input runs at a default interval of 2 minutes. To avoid exposing critical infrastructure controls, adaptive response actions are queued on the Splunk Cloud Platform search head.
Solution
You can adjust the CAM queue interval based on your needs. A more frequent execution time places additional load on the Splunk Cloud Platform Enterprise Security search head.
To avoid performance problems with the Common Action Model (CAM) queue, adjust the interval to run less frequently, and do not set it below 10 seconds. The queued actions store metadata and search results that turns on a proxy to run adaptive response actions from your on-premises environment.
Also, ensure that your heavy forwarder is configured to forward its data to your indexers. This includes forwarding data from the relayed modular actions. You can run a search similar to the following search on your Splunk Enterprise Security search head to verify that data is forwarding, where hf1 is the name of your heavy forwarder:
index="cim_modactions" host=hf1
If this search never returns results, then your heavy forwarder is experiencing issues connecting to the Splunk Enterprise Security search head.
| Troubleshoot for adaptive response actions not displaying | Troubleshoot the display of the timeline visualization |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Download manual
Feedback submitted, thanks!