Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field extractor is unusually slow

rroberts
Splunk Employee
Splunk Employee
‎11-11-2011 11:30 AM

While working in the ESS app searching for tag=attack last 60 mins time range I get about 1,262 events. I get two warning banners.

1. Field extractor name=autoheader_for_sav is unusually slow (average execution time=721ms, probes=10 warning max=500ms)

2. Field extractor name=auto_kv_for_mcafee_ids_message is unusually slow (average execution time=541ms, probes=10 warning max=500ms)

What can I tune to avoid these warnings?

Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎06-29-2012 11:59 AM

The solutions are :
- identify and improve the regexes/field extractions ( if possible )
- or change the warning threshold for key values extraction

edit $SPLUNK_HOME/etc/system/local/limits.conf, and change max_extractor_time value
see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf

[kv]
max_extractor_time = 
# Maximum amount of CPU time, in milliseconds, that a key-value pair extractor will be allowed to  take before warning. If the extractor exceeds this execution time on any event a warning will be issued  Defaults to 1000

avg_extractor_time = 
# Maximum amount of CPU time, in milliseconds, that the average (over search results) execution time of   a key-value pair extractor will be allowed to take before warning. Once the average becomes larger  than this amount of time a warning will be issued Defaults to 500

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎06-29-2012 11:59 AM

The solutions are :
- identify and improve the regexes/field extractions ( if possible )
- or change the warning threshold for key values extraction

edit $SPLUNK_HOME/etc/system/local/limits.conf, and change max_extractor_time value
see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf

[kv]
max_extractor_time = 
# Maximum amount of CPU time, in milliseconds, that a key-value pair extractor will be allowed to  take before warning. If the extractor exceeds this execution time on any event a warning will be issued  Defaults to 1000

avg_extractor_time = 
# Maximum amount of CPU time, in milliseconds, that the average (over search results) execution time of   a key-value pair extractor will be allowed to take before warning. Once the average becomes larger  than this amount of time a warning will be issued Defaults to 500
Reply
Solved! Jump to solution

BobM
Builder
‎01-09-2012 03:12 AM

Make them faster 😉

0 Karma
Reply
Solved! Jump to solution

rroberts
Splunk Employee
Splunk Employee
‎01-09-2012 05:32 AM

Well that almost solves it then. Guess ill go look for best practices.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...