Re: Poor search performance one sourcetype

mundus · ‎01-17-2012

I have events that look like this:

inputs.conf:

[monitor://D:\Splunk\NVDB*.xml]

crcSalt =

disabled = false

followTail = 0

sourcetype = nvdb

props.conf:

[nvdb]

SHOULD_LINEMERGE = true

BREAK_ONLY_BEFORE = (?i)<entry\sid=

MUST_BREAK_AFTER = (?i)</entry>

MAX_EVENTS = 10000

REPORT-nvdb_vulnerable_products = nvdb_vulnerable_products

EXTRACT-cve_id = (?i)<entry\sid=\"CVE-(?P\d+-\d+)

EXTRACT-score = (?i)<cvss:score>(?P[^<]+)<

EXTRACT-access_vector = (?i)<cvss:access-vector>(?P[\w+]+)<

EXTRACT-access_complexity = (?i)<cvss:access-complexity>(?P[\w+]+)<

EXTRACT-authentication = (?i)<cvss:authentication>(?P[\w+]+)<

EXTRACT-confidentiality_impact = (?i)<cvss:confidentiality-impact>(?P[\w+]+)<

EXTRACT-integrity_impact = (?i)<cvss:integrity-impact>(?P[\w+]+)<

EXTRACT-availability_impact = (?i)<cvss:availability-impact>(?P[\w+]+)<

The data is XML formatted. The files are treated as a single event and are around 250 lines long. The searches hang at like 538 events (out of tens of thousands).

What's the best way to go about troubleshooting this? I have other XML inputs that take no time at all to search through.

Thx.

Craig

mundus · ‎01-18-2012

The problem was a transform that had to parse dozens or more lines out of each event. Disabling that transform caused the performance to return to normal.

Poor search performance one sourcetype

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation