Hey All,
We have been experiencing issues with latency concerning Windows events being processed/indexed in Splunk.
After numerous escalations and calls with support they suggested we enable the below suppression settings in our inputs.conf to boost thruput and performance.
suppress_checkpoint = true
suppress_sourcename=true
suppress_keywords=true
suppress_type=true
suppress_task=true
suppress_opcode=true
suppress_text=true
It worked great to boost thruput but after awhile we noticed that field extractions stopped working for quite a bit of hosts.
Has anyone else enabled these settings and seen the same issue with extractions?
↧