I have events that look like this:
inputs.conf:
[monitor://D:\Splunk\NVDB*.xml]
crcSalt =
props.conf:
[nvdb]
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE = (?i)<entry\sid=
MUST_BREAK_AFTER = (?i)</entry>
MAX_EVENTS = 10000
REPORT-nvdb_vulnerable_products = nvdb_vulnerable_products
EXTRACT-cve_id = (?i)<entry\sid=\"CVE-(?P
EXTRACT-score = (?i)<cvss:score>(?P
EXTRACT-access_vector = (?i)<cvss:access-vector>(?P
EXTRACT-access_complexity = (?i)<cvss:access-complexity>(?P
EXTRACT-authentication = (?i)<cvss:authentication>(?P
EXTRACT-confidentiality_impact = (?i)<cvss:confidentiality-impact>(?P
EXTRACT-integrity_impact = (?i)<cvss:integrity-impact>(?P
EXTRACT-availability_impact = (?i)<cvss:availability-impact>(?P
The data is XML formatted. The files are treated as a single event and are around 250 lines long. The searches hang at like 538 events (out of tens of thousands).
What's the best way to go about troubleshooting this? I have other XML inputs that take no time at all to search through.
Thx.
Craig
The problem was a transform that had to parse dozens or more lines out of each event. Disabling that transform caused the performance to return to normal.