All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ER: Remove performance issue with oracode lookup

martin_mueller
SplunkTrust
SplunkTrust
‎02-20-2016 08:57 AM

For five sourcetypes, there's this automatic lookup defined:

LOOKUP-ORACODE = oracle_ora_code_lookup ORACODE OUTPUTNEW DESCRIPTION, CAUSE, ACTION

ACTION values returned are a textual description of what you can do to alleviate the issue around the respective code.

Conversely, several sourcetypes have this transforms-based search time field extraction:

REPORT-ACTION_text = ACTION_text

This yields a field also called ACTION, containing numerical oracle action codes, e.g. 100 for a login.

Given that these two fields share the same name, searching for ACTION=100 triggers Splunk to go through the lookup and check if there happens to be a row with ACTION=100 in case it needs to search for the corresponding ORACODE value instead. It'll never find a numerical ACTION in the textual descriptive ACTION of the lookup, so the results remain correct - however, going through 20000 lines of lookup is a needless drain on performance for Splunk to build the normalizedSearch string before executing the search. Execution itself is not affected, but I've seen up to a second of additional search startup overhead added to every search just from going through this lookup once for each of the five sourcetypes.

To alleviate this, please change the ACTION field name returned by the lookup to something else.

Reply
1 Solution
Solved! Jump to solution
Solution

ChrisG
Splunk Employee
Splunk Employee
‎02-20-2016 09:07 AM

I filed a ticket with the add-on team about this: ADDON-7882.

View solution in original post

Reply
Solved! Jump to solution

kchen_splunk
Splunk Employee
Splunk Employee
‎02-22-2016 07:22 PM

If you can provide more information about how you build the normalizedSearch, it will be great help.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-08-2016 02:23 PM

The Knowledge Object Explorer v1.1 is out at https://splunkbase.splunk.com/app/2871/ for your normalizedSearch needs 🙂

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-22-2016 09:40 PM

It's all in my app, the Knowledge Object Explorer at https://splunkbase.splunk.com/app/2871/ - new version soon that can detect this kind of "zero match lookup", let me know if you want to beta test.

0 Karma
Reply
Solved! Jump to solution
Solution

ChrisG
Splunk Employee
Splunk Employee
‎02-20-2016 09:07 AM

I filed a ticket with the add-on team about this: ADDON-7882.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-08-2016 02:23 PM

As of 3.4.0, the lookup now produces oracle_alert_action and the eventtypes now use oracle_audit_action, so this has been fixed.

0 Karma
Reply
Solved! Jump to solution

ChrisG
Splunk Employee
Splunk Employee
‎02-22-2016 07:52 AM

...and I heard back from the team that there is already work underway to address these issues. They have added this Answers posting to the internal page where they are coordinating the work.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...