Troubleshoot your deployment
This section provides tips for troubleshooting possible issues with your Splunk App for PCI Compliance deployment.
Other required apps
Splunk Enterprise implements some of its functionality through separate apps. Do not disable any of these apps:
When adding indexes to the default search indexes do not include any summary indexes, as this can cause a search and summary index loop. See the PCI Compliance Manual FAQ in the PCI Compliance User Manual for details.
Where appropriate, you can improve performance of the Splunk App for PCI Compliance and reduce hardware requirements by limiting the indexes used by the app.
If the Splunk App for PCI Compliance is limited to a subset of indexes, all of the indexes it searches require admin access, as described in "Set up multiple indexes" in Managing Indexers and Clusters of Indexers.
Note: By default the search head will search over the "main" index.
Measuring system performance
You can use IOZone to measure system performance (it runs on Windows). IOzone will output the data in IOPS if the "-O" argument is specified.
Below is an example of IOzone invocation to store results in an Excel spreadsheet with IOPS:
iozone -s 4g -r 2k -r 4k -r 8k -r 16k -r 32k -O -b results.xls
Performance on UNIX systems
The search head that is hosting the Splunk App for PCI Compliance should be configured for high performance. UNIX systems should check the
ulimit setting in particular, as this can artificially limit the operating system's capacity.
Other performance impacts include the Linux
swappiness setting. Consult with your UNIX systems administrator for high performance build recommendations.
Other troubleshooting tips
- Make sure you have the minimum (correct) version of Splunk Enterprise installed. See "Install Prerequisites" in this manual for more information.
- Make sure you disable other apps on the search head you are using for the Splunk App for PCI Compliance. If you are using the Cisco apps (Cisco WSA, ESA, Firewalls, and so on), make sure to disable the saved searches. See the FAQ in this manual about Cisco add-ons for details.
Upgrade Splunk App for PCI Compliance
This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1