For five sourcetypes, there's this automatic lookup defined:
LOOKUP-ORACODE = oracle_ora_code_lookup ORACODE OUTPUTNEW DESCRIPTION, CAUSE, ACTION
ACTION values returned are a textual description of what you can do to alleviate the issue around the respective code.
Conversely, several sourcetypes have this transforms-based search time field extraction:
REPORT-ACTION_text = ACTION_text
This yields a field also called
ACTION, containing numerical oracle action codes, e.g. 100 for a login.
Given that these two fields share the same name, searching for
ACTION=100 triggers Splunk to go through the lookup and check if there happens to be a row with
ACTION=100 in case it needs to search for the corresponding
ORACODE value instead. It'll never find a numerical
ACTION in the textual descriptive
ACTION of the lookup, so the results remain correct - however, going through 20000 lines of lookup is a needless drain on performance for Splunk to build the normalizedSearch string before executing the search. Execution itself is not affected, but I've seen up to a second of additional search startup overhead added to every search just from going through this lookup once for each of the five sourcetypes.
To alleviate this, please change the
ACTION field name returned by the lookup to something else.
...and I heard back from the team that there is already work underway to address these issues. They have added this Answers posting to the internal page where they are coordinating the work.