Refine your search:

Field extractor is unusually slow

0

While working in the ESS app searching for tag=attack last 60 mins time range I get about 1,262 events. I get two warning banners.
1. Field extractor name=autoheader_for_sav is unusually slow (average execution time=721ms, probes=10 warning max=500ms)
2. Field extractor name=auto_kv_for_mcafee_ids_message is unusually slow (average execution time=541ms, probes=10 warning max=500ms)
What can I tune to avoid these warnings?

asked 11 Nov '11, 11:30

rroberts's gravatar image

rroberts
1.7k218
accept rate: 44%

retagged 05 Nov '12, 08:30

LukeMurphey's gravatar image

LukeMurphey
1.4k211
2 Answers:
oldestnewestmost voted
1

The solutions are : - identify and improve the regexes/field extractions ( if possible ) - or change the warning threshold for key values extraction

edit $SPLUNK_HOME/etc/system/local/limits.conf, and change max_extractor_time value see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf

[kv]
max_extractor_time = <integer>
# Maximum amount of CPU time, in milliseconds, that a key-value pair extractor will be allowed to  take before warning. If the extractor exceeds this execution time on any event a warning will be issued  Defaults to 1000

avg_extractor_time = <integer>
# Maximum amount of CPU time, in milliseconds, that the average (over search results) execution time of   a key-value pair extractor will be allowed to take before warning. Once the average becomes larger  than this amount of time a warning will be issued Defaults to 500
link

answered 29 Jun '12, 11:59

yannK's gravatar image

yannK
13.5k823
accept rate: 31%

-1

Make them faster ;-)

link

answered 09 Jan '12, 03:12

BobM's gravatar image

BobM
2.4k1413
accept rate: 31%

Well that almost solves it then. Guess ill go look for best practices.

(09 Jan '12, 05:32) rroberts
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×549
×240
×11

Asked: 11 Nov '11, 11:30

Seen: 1,508 times

Last updated: 05 Nov '12, 08:30

Related questions

Field extractor is unusually slow (max single event time=, probes=warning max=)

Field extractor warning.

# Field extractor name=EXTRACT-UniqueID Error ??

WMI kv field extraction is very slow... (How to make your WMI searches 20x faster)

How to resolve field extractor error

Speed impact of field extractions?

max length of regex in Interactive Field Extractor is set to 200 chars

field extractor question with regex

Copyright © 2005-2012 Splunk Inc. All rights reserved.