A customer has a number of inefficient regex replacement transforms being applied. When under heavy load the indexers are struggling to maintain the expected indexing rate. In a worst-case scenario, which queue(s) would be expected to fill up?
The queue that would be expected to fill up in a worst case scenario when the indexers are struggling to maintain the expected indexing rate due to inefficient regex replacement transforms is the parsing queue. The parsing queue is the queue that holds the events that are being parsed by the indexers. Parsing is the process of extracting fields, timestamps, and other metadata from the raw data. Regex replacement transforms are part of the parsing process, and they can be very CPU-intensive if they are not optimized. Therefore, if the indexers are overloaded with inefficient regex replacement transforms, the parsing queue will fill up faster than it can be emptied, and the indexing rate will suffer. Therefore, the correct answer is B. Parsing. References:
Splunk Core Certified Consultant Test Blueprint
Splunk Documentation: Splunk Enterprise queues
Splunk Documentation: About parsing
Splunk Documentation: Configure transforms for indexed field extraction
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit