Splunk Enterprise Security

Field extractor is unusually slow

rroberts
Splunk Employee
Splunk Employee

While working in the ESS app searching for tag=attack last 60 mins time range I get about 1,262 events. I get two warning banners.

1. Field extractor name=autoheader_for_sav is unusually slow (average execution time=721ms, probes=10 warning max=500ms)

2. Field extractor name=auto_kv_for_mcafee_ids_message is unusually slow (average execution time=541ms, probes=10 warning max=500ms)

What can I tune to avoid these warnings?

1 Solution

yannK
Splunk Employee
Splunk Employee

The solutions are :
- identify and improve the regexes/field extractions ( if possible )
- or change the warning threshold for key values extraction

edit $SPLUNK_HOME/etc/system/local/limits.conf, and change max_extractor_time value
see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf

[kv]
max_extractor_time = 
# Maximum amount of CPU time, in milliseconds, that a key-value pair extractor will be allowed to  take before warning. If the extractor exceeds this execution time on any event a warning will be issued  Defaults to 1000

avg_extractor_time = 
# Maximum amount of CPU time, in milliseconds, that the average (over search results) execution time of   a key-value pair extractor will be allowed to take before warning. Once the average becomes larger  than this amount of time a warning will be issued Defaults to 500

View solution in original post

yannK
Splunk Employee
Splunk Employee

The solutions are :
- identify and improve the regexes/field extractions ( if possible )
- or change the warning threshold for key values extraction

edit $SPLUNK_HOME/etc/system/local/limits.conf, and change max_extractor_time value
see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf

[kv]
max_extractor_time = 
# Maximum amount of CPU time, in milliseconds, that a key-value pair extractor will be allowed to  take before warning. If the extractor exceeds this execution time on any event a warning will be issued  Defaults to 1000

avg_extractor_time = 
# Maximum amount of CPU time, in milliseconds, that the average (over search results) execution time of   a key-value pair extractor will be allowed to take before warning. Once the average becomes larger  than this amount of time a warning will be issued Defaults to 500

View solution in original post

BobM
Builder

Make them faster 😉

0 Karma

rroberts
Splunk Employee
Splunk Employee

Well that almost solves it then. Guess ill go look for best practices.

0 Karma