To improve indexing speed for windows security events on Splunk Heavy Forwarders with Windows Event Collection enabled, we have been told to enable: (on our inputs.conf)
suppress_sourcename
suppress_checkpoint
suppress_keywords
suppress_type
suppress_opcode
use_threads = 7
We did see our indexing speeds improve x 4. From 2Mbps to 7.94Mbps. But once the logs were ingested, indexing rates dropped back down to around 1-2Mbps.
We were also told that we need to set renderxml=true for these suppression stanzas to work. Is this accurate?
The problem with our RenderXML=True is that our fields do not extract correctly. The events also break. We are using the latest TA-Windows app.
Are we losing anything by enabling these (Splunk developer) settings?
Does this just affect search time field extraction?
Is the processing now being done on the indexers as a result?
Update 10/1/2019
We disabled suppression and the latency came back.
We disabled the renderxml=true and it didn't affect speeds.
We solved our fields not extracting at searchtime , by changing our sourcetype for the [WinEventLog://Forwarded Events] input. (with renderxml=true)
Changed use_threads to use 15 threads. (Made no difference)
Enabled: On the rest of the Windows Event Collectors
suppress_sourcename
suppress_checkpoint
suppress_keywords
suppress_type
suppress_opcode
Note: Splunk recommends not changing these settings without speaking with support first.
This is the result. While we are pleased with this after months. We will evaluate how it affects Enterprise Security.
Changed use_threads to use 15 threads. (Made no difference)
Enabled: On the rest of the Windows Event Collectors
suppress_sourcename
suppress_checkpoint
suppress_keywords
suppress_type
suppress_opcode
Note: Splunk recommends not changing these settings without speaking with support first.
This is the result. While we are pleased with this after months. We will evaluate how it affects Enterprise Security.
Update 10/2/2019
Changed use_threads to use 15 threads. (Made no difference)
Enabled: On the rest of the Windows Event Collectors
suppress_sourcename
suppress_checkpoint
suppress_keywords
suppress_type
suppress_opcode
This is the result. While we are pleased with this after months. We will evaluate how it affects Enterprise Security.