Splunk Enterprise Security

Field extractor is unusually slow

rroberts
Splunk Employee
Splunk Employee

While working in the ESS app searching for tag=attack last 60 mins time range I get about 1,262 events. I get two warning banners.

1. Field extractor name=autoheader_for_sav is unusually slow (average execution time=721ms, probes=10 warning max=500ms)

2. Field extractor name=auto_kv_for_mcafee_ids_message is unusually slow (average execution time=541ms, probes=10 warning max=500ms)

What can I tune to avoid these warnings?

1 Solution

yannK
Splunk Employee
Splunk Employee

The solutions are :
- identify and improve the regexes/field extractions ( if possible )
- or change the warning threshold for key values extraction

edit $SPLUNK_HOME/etc/system/local/limits.conf, and change max_extractor_time value
see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf

[kv]
max_extractor_time = 
# Maximum amount of CPU time, in milliseconds, that a key-value pair extractor will be allowed to  take before warning. If the extractor exceeds this execution time on any event a warning will be issued  Defaults to 1000

avg_extractor_time = 
# Maximum amount of CPU time, in milliseconds, that the average (over search results) execution time of   a key-value pair extractor will be allowed to take before warning. Once the average becomes larger  than this amount of time a warning will be issued Defaults to 500

View solution in original post

yannK
Splunk Employee
Splunk Employee

The solutions are :
- identify and improve the regexes/field extractions ( if possible )
- or change the warning threshold for key values extraction

edit $SPLUNK_HOME/etc/system/local/limits.conf, and change max_extractor_time value
see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf

[kv]
max_extractor_time = 
# Maximum amount of CPU time, in milliseconds, that a key-value pair extractor will be allowed to  take before warning. If the extractor exceeds this execution time on any event a warning will be issued  Defaults to 1000

avg_extractor_time = 
# Maximum amount of CPU time, in milliseconds, that the average (over search results) execution time of   a key-value pair extractor will be allowed to take before warning. Once the average becomes larger  than this amount of time a warning will be issued Defaults to 500

BobM
Builder

Make them faster 😉

0 Karma

rroberts
Splunk Employee
Splunk Employee

Well that almost solves it then. Guess ill go look for best practices.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...