Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field extractor warning.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Lately when I run searches I tend to get a warning on the screen along the lines of:
Field extractor name=access-extractions is unusually slow (max single event time=1140ms, probes=375 warning max=1000ms)
What causes this, and, what should I be looking at to tweak to make Splunk happy again?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Howyagoin,
This is a warning message introduced in 4.2.1. It will warn when extractions exceed 1000ms. I have browsed limits.conf without finding a setting to increase this threshold; however I would recommend addressing the underlying extraction.
In this case the "access-extractions" transform Regex may need to be adjusted to provide faster matching. This typically involves anchors which will invalidate the match quicker.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Howyagoin,
This is a warning message introduced in 4.2.1. It will warn when extractions exceed 1000ms. I have browsed limits.conf without finding a setting to increase this threshold; however I would recommend addressing the underlying extraction.
In this case the "access-extractions" transform Regex may need to be adjusted to provide faster matching. This typically involves anchors which will invalidate the match quicker.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for this - I spent some time staring at it and came to the same conclusion last night -- I fear what triggered it was a somewhat imprecise search I was conducting which was indeed going through httpd access files which were indexed. I'll have to work on adding sourcetypes to searches a bit more. Thanks!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Splunk Community Badges!
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
