Hello everyone,
Here is a wierd case i just faced.
In a props.conf file (on the search head), i extract some fields in a sourcetype :
[MySourceType]
EXTRACT-MyFields = ... ((?<CpuName>[^#]+)#)?(?<SchedName>\S+) ...
Note that the CpuName is optionnal.
Everything is fine here. When i search for events with a specific CpuName, it's quite fast because Splunk scans very few events (is the filtering done by the indexer because of Splunk built-in optimizations ?).
Since the CpuName isn't always defined, i wanted to add a default value, so i added this line in the props.conf :
EVAL-CpuName=if((isnull(CpuName) AND NOT isnull(SchedName)),"DEFAULT_CPUNAME",CpuName)
But since i made this change, searches became a lot slower (even when searching for a well defined CpuName).
In fact, the job inspector clearly shows that Splunk scans 10 times more events.
I suspect that now, the indexer scans all the events of the timerange without filtering by CpuName ?
What is happening here? And how can i add a default value to an extracted field without losing this fast filtering ?
Thanks,
Thomas
Note : indexers & search heads are on different servers
