Hi.
The Splunk for Unix/Linux add-on app includes a transforms.conf with a lot of regexps. After I installed this in my indexers, CPU usage for regexpreplacement has doubled. Are all these transformations/regexps applied to all incoming events? is that correct? I use a very small subset of this app, it sounds like a waste of resources to have all those regexps applied to all incoming events.
Thanks.
↧