Good day
I configured Splunk to receive Cisco ASA firewall log on udp 5141 port and installed ASA add-on for parsing logs with "Cisco.ASA" source type.
It's necessary to say you, i received about1000000 logs per minutes.
I have problem with searching query in Splunk. when i search a simple query like: "index=fw_251" (the name of asa index that receive logs is fw_251) during 1h, Splunk can't send me all of logs and show this error: "Search auto-canceled" after several minutes. (just show me last 4 minutes of 60 minutes) and paused.
Why this error occur?
I monitored all of resources like ram,cpu, ... . every things is okey.
Do have any suggestion for me?
Thank you
↧