Splunk Enterprise and anti-virus products
Splunk Enterprise uses disk I/O bandwidth to perform indexing tasks. In particular, disk write operations are very intensive. These I/O writes can clash with any product that installs a driver to intermediate between Splunk Enterprise and the operating system, such as an anti-virus software that scans when an application performs storage access.
When you run Splunk Enterprise or the universal forwarder on a machine that has an anti-virus product installed, exclude all Splunk software processes as well as the Splunk installation directory from any kind of on-access scanning.
On Windows hosts, on-access scanners can significantly decrease performance. On *nix hosts, these scanners can use up file descriptors and render a host completely inaccessible.
Files and processes to exclude
The following table lists the Splunk platform directories and executables to exclude from anti-virus scanning. All processes that appear in the "Processes to exclude" column are in the $SPLUNK_HOME/bin directory on *nix and the %SPLUNK_HOME%\bin directory on Windows.
Version: | Directories to exclude: | Processes to exclude: |
---|---|---|
Splunk Enterprise (Windows) |
|
|
Splunk universal forwarder (Windows) |
|
|
Splunk Enterprise (*nix) |
|
|
Splunk universal forwarder (*nix) |
|
Same as Splunk Enterprise (*nix) |
Other items to exclude
If you run a Splunk app or add-on on your Splunk Enterprise instance or forwarder, exclude any executables that might come with the app or add-on. An example is the Splunk Add-on for PowerShell - this modular input comes with an executable named powershell.exe
that you must also exclude from anti-virus scans when it runs.
In general, any file associated with Splunk Enterprise that can be executed should be excluded from scanning. You might need to inspect additional files in apps or add-ons to determine whether or not they qualify.
Increased skipped search rate after upgrade to 9.0 | Workaround for network accessibility issues on Splunk Windows systems under certain conditions |
This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1
Feedback submitted, thanks!