To improve indexing speed for windows security events, we have been told to enable:
suppress_sourcename
suppress_checkpoint
suppress_keywords
suppress_type
suppress_opcode
We did see our indexing speeds improve x 4. From 2Mbps to 7.94Mbps.
We were also told that we need to set **renderxml=true** for these suppression stanzas to work. **strong text**Is this accurate?
The problem with our RenderXML=True is that our fields **do not extract correctly**. The events also break. We are using the latest **TA-Windows** app.
Are we losing anything by enabling these (Splunk developer) settings?
Does this just affect search time field extraction?
Is the processing now being done on the indexers as a result?
↧