Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field extractor is unusually slow

rroberts
Splunk Employee
Splunk Employee
‎11-11-2011 11:30 AM

While working in the ESS app searching for tag=attack last 60 mins time range I get about 1,262 events. I get two warning banners.

1. Field extractor name=autoheader_for_sav is unusually slow (average execution time=721ms, probes=10 warning max=500ms)

2. Field extractor name=auto_kv_for_mcafee_ids_message is unusually slow (average execution time=541ms, probes=10 warning max=500ms)

What can I tune to avoid these warnings?

Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎06-29-2012 11:59 AM

The solutions are :
- identify and improve the regexes/field extractions ( if possible )
- or change the warning threshold for key values extraction

edit $SPLUNK_HOME/etc/system/local/limits.conf, and change max_extractor_time value
see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf

[kv]
max_extractor_time = 
# Maximum amount of CPU time, in milliseconds, that a key-value pair extractor will be allowed to  take before warning. If the extractor exceeds this execution time on any event a warning will be issued  Defaults to 1000

avg_extractor_time = 
# Maximum amount of CPU time, in milliseconds, that the average (over search results) execution time of   a key-value pair extractor will be allowed to take before warning. Once the average becomes larger  than this amount of time a warning will be issued Defaults to 500

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎06-29-2012 11:59 AM

The solutions are :
- identify and improve the regexes/field extractions ( if possible )
- or change the warning threshold for key values extraction

edit $SPLUNK_HOME/etc/system/local/limits.conf, and change max_extractor_time value
see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf

[kv]
max_extractor_time = 
# Maximum amount of CPU time, in milliseconds, that a key-value pair extractor will be allowed to  take before warning. If the extractor exceeds this execution time on any event a warning will be issued  Defaults to 1000

avg_extractor_time = 
# Maximum amount of CPU time, in milliseconds, that the average (over search results) execution time of   a key-value pair extractor will be allowed to take before warning. Once the average becomes larger  than this amount of time a warning will be issued Defaults to 500
Reply
Solved! Jump to solution

BobM
Builder
‎01-09-2012 03:12 AM

Make them faster 😉

0 Karma
Reply
Solved! Jump to solution

rroberts
Splunk Employee
Splunk Employee
‎01-09-2012 05:32 AM

Well that almost solves it then. Guess ill go look for best practices.

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...