Poor search performance one sourcetype

mundus · ‎01-17-2012

I have events that look like this:

inputs.conf:

[monitor://D:\Splunk\NVDB*.xml]

crcSalt =

disabled = false

followTail = 0

sourcetype = nvdb

props.conf:

[nvdb]

SHOULD_LINEMERGE = true

BREAK_ONLY_BEFORE = (?i)<entry\sid=

MUST_BREAK_AFTER = (?i)</entry>

MAX_EVENTS = 10000

REPORT-nvdb_vulnerable_products = nvdb_vulnerable_products

EXTRACT-cve_id = (?i)<entry\sid=\"CVE-(?P\d+-\d+)

EXTRACT-score = (?i)<cvss:score>(?P[^<]+)<

EXTRACT-access_vector = (?i)<cvss:access-vector>(?P[\w+]+)<

EXTRACT-access_complexity = (?i)<cvss:access-complexity>(?P[\w+]+)<

EXTRACT-authentication = (?i)<cvss:authentication>(?P[\w+]+)<

EXTRACT-confidentiality_impact = (?i)<cvss:confidentiality-impact>(?P[\w+]+)<

EXTRACT-integrity_impact = (?i)<cvss:integrity-impact>(?P[\w+]+)<

EXTRACT-availability_impact = (?i)<cvss:availability-impact>(?P[\w+]+)<

The data is XML formatted. The files are treated as a single event and are around 250 lines long. The searches hang at like 538 events (out of tens of thousands).

What's the best way to go about troubleshooting this? I have other XML inputs that take no time at all to search through.

Thx.

Craig

mundus · ‎01-18-2012

The problem was a transform that had to parse dozens or more lines out of each event. Disabling that transform caused the performance to return to normal.

Poor search performance one sourcetype

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM