Whenever I search McAfee Webgateway data using a defined field name ( `sourcetype="mcafee:wg:kv" user=joeuser`), the search takes several minutes to complete. However, if I remove the field name ( `sourcetype="mcafee:wg:kv" joeuser`), the search completes in a matter of seconds as expected. I have confirmed that the problem on occurs with the webgateway data. I am using Splunk Add-on for McAfee Web Gateway app and have not made any modifications. Any troubleshooting tips would be greatly appreciated as I am fairly new to Splunk. Let me know what other information is needed.
Splunk version 6.3.3
Splunk Add-on for McAfee Web Gateway version 1.0.0
Application installed on Search Heads, Heavy Forwards and to the Indexer Cluster
↧
