I'm trying to collect performance information about search-time field extractions happening on different search-peers, but even if I can see the total search duration for the available peers (e.g. ) I didn't find yet anything specific for the field extraction process.
The only "close-enough" bits of information that seem to be related with what I'm looking for are:
| rest /services/search/jobs splunk_server=local summarize=false | fields label, performance.*field*.duration_secs
And more in particular:
performance.command.fields.duration_secs
performance.command.search.calcfields.duration_secs
performance.command.search.fieldalias.duration_secs
performance.dispatch.evaluate.fields.duration_secs
Nevertheless those don't seem to be officially documented and seem to only refer to something happening on the search-head.
The thing is... from time to time I've seen some warning messages like `Field extractor name=blablabla is unusually slow (max single event time=1036ms, probes=422 warning max=1000ms)` so Slunk is actually collecting information about the field extraction process, now the question is how can I retrieve them for my analysis? :)
↧