While working in the ESS app searching for tag=attack last 60 mins time range I get about 1,262 events. I get two warning banners.
1. Field extractor name=autoheader_for_sav is unusually slow (average execution time=721ms, probes=10 warning max=500ms)
2. Field extractor name=auto_kv_for_mcafee_ids_message is unusually slow (average execution time=541ms, probes=10 warning max=500ms)
What can I tune to avoid these warnings?
The solutions are :
- identify and improve the regexes/field extractions ( if possible )
- or change the warning threshold for key values extraction
edit $SPLUNK_HOME/etc/system/local/limits.conf, and change max_extractor_time value
see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf
[kv] max_extractor_time =# Maximum amount of CPU time, in milliseconds, that a key-value pair extractor will be allowed to take before warning. If the extractor exceeds this execution time on any event a warning will be issued Defaults to 1000 avg_extractor_time = # Maximum amount of CPU time, in milliseconds, that the average (over search results) execution time of a key-value pair extractor will be allowed to take before warning. Once the average becomes larger than this amount of time a warning will be issued Defaults to 500
The solutions are :
- identify and improve the regexes/field extractions ( if possible )
- or change the warning threshold for key values extraction
edit $SPLUNK_HOME/etc/system/local/limits.conf, and change max_extractor_time value
see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf
[kv] max_extractor_time =# Maximum amount of CPU time, in milliseconds, that a key-value pair extractor will be allowed to take before warning. If the extractor exceeds this execution time on any event a warning will be issued Defaults to 1000 avg_extractor_time = # Maximum amount of CPU time, in milliseconds, that the average (over search results) execution time of a key-value pair extractor will be allowed to take before warning. Once the average becomes larger than this amount of time a warning will be issued Defaults to 500
Make them faster 😉
Well that almost solves it then. Guess ill go look for best practices.