https://community.splunk.com/t5/All-Apps-and-Add-ons/ER-Remove-performance-issue-with-oracode-lookup/m-p/214117#M23100 <P>...and I heard back from the team that there is already work underway to address these issues. They have added this Answers posting to the internal page where they are coordinating the work.</P> Mon, 22 Feb 2016 15:52:50 GMT ChrisG 2016-02-22T15:52:50Z https://community.splunk.com/t5/All-Apps-and-Add-ons/ER-Remove-performance-issue-with-oracode-lookup/m-p/214115#M23098 <P>For five sourcetypes, there's this automatic lookup defined:</P> <PRE><CODE>LOOKUP-ORACODE = oracle_ora_code_lookup ORACODE OUTPUTNEW DESCRIPTION, CAUSE, ACTION </CODE></PRE> <P><CODE>ACTION</CODE> values returned are a textual description of what you can do to alleviate the issue around the respective code.</P> <P>Conversely, several sourcetypes have this transforms-based search time field extraction:</P> <PRE><CODE>REPORT-ACTION_text = ACTION_text </CODE></PRE> <P>This yields a field also called <CODE>ACTION</CODE>, containing numerical oracle action codes, e.g. 100 for a login.</P> <P>Given that these two fields share the same name, searching for <CODE>ACTION=100</CODE> triggers Splunk to go through the lookup and check if there happens to be a row with <CODE>ACTION=100</CODE> in case it needs to search for the corresponding <CODE>ORACODE</CODE> value instead. It'll never find a numerical <CODE>ACTION</CODE> in the textual descriptive <CODE>ACTION</CODE> of the lookup, so the results remain correct - however, going through 20000 lines of lookup is a needless drain on performance for Splunk to build the normalizedSearch string before executing the search. Execution itself is not affected, but I've seen up to a second of additional search startup overhead added to every search just from going through this lookup once for each of the five sourcetypes.</P> <P>To alleviate this, please change the <CODE>ACTION</CODE> field name returned by the lookup to something else.</P> Sat, 20 Feb 2016 16:57:10 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/ER-Remove-performance-issue-with-oracode-lookup/m-p/214115#M23098 martin_mueller 2016-02-20T16:57:10Z https://community.splunk.com/t5/All-Apps-and-Add-ons/ER-Remove-performance-issue-with-oracode-lookup/m-p/214116#M23099 <P>I filed a ticket with the add-on team about this: ADDON-7882.</P> Sat, 20 Feb 2016 17:07:40 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/ER-Remove-performance-issue-with-oracode-lookup/m-p/214116#M23099 ChrisG 2016-02-20T17:07:40Z https://community.splunk.com/t5/All-Apps-and-Add-ons/ER-Remove-performance-issue-with-oracode-lookup/m-p/214117#M23100 <P>...and I heard back from the team that there is already work underway to address these issues. They have added this Answers posting to the internal page where they are coordinating the work.</P> Mon, 22 Feb 2016 15:52:50 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/ER-Remove-performance-issue-with-oracode-lookup/m-p/214117#M23100 ChrisG 2016-02-22T15:52:50Z https://community.splunk.com/t5/All-Apps-and-Add-ons/ER-Remove-performance-issue-with-oracode-lookup/m-p/214118#M23101 <P>If you can provide more information about how you build the normalizedSearch, it will be great help.</P> Tue, 23 Feb 2016 03:22:06 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/ER-Remove-performance-issue-with-oracode-lookup/m-p/214118#M23101 kchen_splunk 2016-02-23T03:22:06Z https://community.splunk.com/t5/All-Apps-and-Add-ons/ER-Remove-performance-issue-with-oracode-lookup/m-p/214119#M23102 <P>It's all in my app, the Knowledge Object Explorer at <A href="https://splunkbase.splunk.com/app/2871/">https://splunkbase.splunk.com/app/2871/</A> - new version soon that can detect this kind of "zero match lookup", let me know if you want to beta test.</P> Tue, 23 Feb 2016 05:40:26 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/ER-Remove-performance-issue-with-oracode-lookup/m-p/214119#M23102 martin_mueller 2016-02-23T05:40:26Z https://community.splunk.com/t5/All-Apps-and-Add-ons/ER-Remove-performance-issue-with-oracode-lookup/m-p/214120#M23103 <P>As of 3.4.0, the lookup now produces <CODE>oracle_alert_action</CODE> and the eventtypes now use <CODE>oracle_audit_action</CODE>, so this has been fixed.</P> Fri, 08 Apr 2016 21:23:01 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/ER-Remove-performance-issue-with-oracode-lookup/m-p/214120#M23103 martin_mueller 2016-04-08T21:23:01Z https://community.splunk.com/t5/All-Apps-and-Add-ons/ER-Remove-performance-issue-with-oracode-lookup/m-p/214121#M23104 <P>The Knowledge Object Explorer v1.1 is out at <A href="https://splunkbase.splunk.com/app/2871/">https://splunkbase.splunk.com/app/2871/</A> for your normalizedSearch needs <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 08 Apr 2016 21:23:44 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/ER-Remove-performance-issue-with-oracode-lookup/m-p/214121#M23104 martin_mueller 2016-04-08T21:23:44Z