Skip to main content

Integrations

Known Issues and Limitations

The following topics describe known issues for Splunk.

  • The PCE Operations dashboard will not be populated for SaaS customers because PCE system health information is not available.

  • Label Group objects are not currently imported by the Illumio TA.

  • The Illumio TA only supports TCP for Syslog.

Service Account API Keys

  • Service Account keys have a default expiration of 90 days. Make sure to rotate them before they expire.

  • For some versions of the PCE (21.5), some API endpoints may return a 403 despite the Service Account key having the necessary permissions. When you see 403 errors in the TA logs, create a new key or use a User-scoped API key instead.

Illumio Supercluster

  • The illumio_* metadata collections set the pce_fqdn field value to be the domain name of the PCE referenced in the input configuration. This could lead to these metadata objects having different pce_fqdn values from the syslog events pushed by individual supercluster members.

Known Issue on TA-Illumio 4.0.2 and Above

The following known issue applies to TA-Illumio 4.0.2 and above.

TA-Illumio 4.0.2 Does Not Pull Data from PCEs with Over 25,000 VEN

Splunk TA v4.0.2 and above does not support pulling metadata from PCEs with more than 25,000 VENs.

The following error occurred in splunkd.log when trying to ingest metadata from a PCE with around 27,000 VENs:

"StateSToreError: 'Batch save to KV store failed with code 400. Error details: Request exceeds API limits - see limits.conf for details. (Batch save size=53468786 too large)' "53 MB greater than the default (50 MB) on max_size_per_batch_save_mb

This occurs because of the default API limits on the Splunk side. See the following article: limits.conf.

To set custom configurations, create a new file called limits.conf in the $SPLUNK_HOME/etc/system/local directory. Then add the specific settings that you want to customize to the local configuration file.

Add the following setting to limits.conf:

[kvstore]
max_size_per_batch_save_mb = 100

The limits.conf file is located here: "$SPLUNK_HOME/etc/system/local".

After you have added the setting, restart the Illumio Technology Add-On.