Running this search index=internal "group=pipeline" | stats sum(cpuseconds) as totalCPUSeconds by processor | sort 10 totalCPUSeconds desc
I see the sendout processor has the totalCPUseconds lead followed closely by indexer and aggregator processors. What exactly does the sendout processor do? I see it's a part of the "parsing"
disabled_processors=utf8, linebreaker, header, sendOut
sendOut sends data from the parsingQueue to the aggQueue(aggregator). The parsing queue does UTF8, Linebreaker, header recognition, etc. aggQueue puts the events back together by using things like SHOULDLINEMERGE, BREAKONLYBEFORE, MUSTBREAK_AFTER, etc.
I know this a (very) old question/answer, but: I see that our Splunk indexer spends most cpuseconds for the parsing sendout processor. What exactly does it do? The amount of cpuseconds for all other processors is magnitudes lower. May this indicate a resource problem?