To improve indexing speed for windows security events on Splunk Heavy Forwarders with Windows Event Collection enabled, we have been told to enable: (on our inputs.conf)

suppresssourcename

suppresscheckpoint

suppresskeywords

suppresstype

suppressopcode

usethreads = 7

We did see our indexing speeds improve x 4. From 2Mbps to 7.94Mbps. But once the logs were ingested, indexing rates dropped back down to around 1-2Mbps.

We were also told that we need to set renderxml=true for these suppression stanzas to work. Is this accurate?

The problem with our RenderXML=True is that our fields do not extract correctly. The events also break. We are using the latest TA-Windows app.

Are we losing anything by enabling these (Splunk developer) settings?

Does this just affect search time field extraction?

Is the processing now being done on the indexers as a result?

Update 10/1/2019

We disabled suppression and the latency came back.

We disabled the renderxml=true and it didn't affect speeds.

We solved our fields not extracting at searchtime , by changing our sourcetype for the [WinEventLog://Forwarded Events] input. (with renderxml=true)