Expensive custom properties found

38750138 - Performance degradation was detected in the event pipeline. Expensive custom properties were found.

Explanation

During normal processing, custom event and custom flow properties that are marked as optimized are extracted in the pipeline during processing. The values are used in the custom rules engine (CRE) and search indexes.

Regex statements, which are improperly formed regular expressions, can cause events to be incorrectly routed directly to storage.

User response

Select one of the following options:

Disable any custom property that was recently installed.

Review the payload of the notification. If possible, improve the regex statements that are associated with the custom property.

For example, the following payload reports the regex pattern:

Feb 23 11:44:43 ::ffff:10.1.12.12 [ecs-ec] 
[Timer-60] com.q1labs.semsources.filters.normalize.DSMFilter:  
[WARN] [NOT:0080004105][10.130.126.12/- -] 
[-/- -]Expensive Custom  Properties Based On Average 
Throughput in the last 60 seconds (most to  least expensive) 
- (\w+) /\S+=1136.0eps

Modify the custom property definition to narrow the scope of categories that the property tries to match.
Specify a single event name in the custom property definition to prevent unnecessary attempts to parse the event.
Order your log source parsers from the log sources with the most sent events to the least and disable unused parsers.