Splunk® Enterprise Security

Troubleshoot Splunk Enterprise Security

Troubleshoot adaptive response relays from Splunk Cloud Platform Enterprise Security search head to an on-premises device

Issue

Performance issues might occur with the Common Action Model (CAM) queue when running the adaptive response modular input.

Cause

The adaptive response modular input runs at a default interval of 2 minutes. To avoid exposing critical infrastructure controls, adaptive response actions are queued on the Splunk Cloud Platform search head.

Solution

You can adjust the CAM queue interval based on your needs. A more frequent execution time places additional load on the Splunk Cloud Platform Enterprise Security search head.

To avoid performance problems with the Common Action Model (CAM) queue, adjust the interval to run less frequently, and do not set it below 10 seconds. The queued actions store metadata and search results that turns on a proxy to run adaptive response actions from your on-premises environment.

Also, ensure that your heavy forwarder is configured to forward its data to your indexers. This includes forwarding data from the relayed modular actions. You can run a search similar to the following search on your Splunk Enterprise Security search head to verify that data is forwarding, where hf1 is the name of your heavy forwarder:

index="cim_modactions" host=hf1

If this search never returns results, then your heavy forwarder is experiencing issues connecting to the Splunk Enterprise Security search head.

Last modified on 08 August, 2024
Troubleshoot for adaptive response actions not displaying   Troubleshoot the display of the timeline visualization

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters