Scribd
Upload
73 views5 pages

Field Extraction Index Time Vs Search Time

Index-time field extraction can degrade performance compared to search-time extraction. At index-time, field extraction slows down the indexing process and enlarges the index size. Larger indexes slow down searches. In contrast, search-time extraction performs field extractions during searches as events are collected, avoiding performance impacts to indexing and index size. It is generally better to perform knowledge-building like field extraction at search-time rather than index-time for better performance.

Uploaded by

Gopinath S
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
73 views5 pages

Field Extraction Index Time Vs Search Time

Index-time field extraction can degrade performance compared to search-time extraction. At index-time, field extraction slows down the indexing process and enlarges the index size. Larger indexes slow down searches. In contrast, search-time extraction performs field extractions during searches as events are collected, avoiding performance impacts to indexing and index size. It is generally better to perform knowledge-building like field extraction at search-time rather than index-time for better performance.

Uploaded by

Gopinath S
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Splunk Mania

Field Extraction –
Index time Vs
Search time
(Which is better?) Swipe
Splunk Mania

General Rule –
Index-time custom field extraction
can degrade performance

Search time Field extraction is


better.
Swipe
Splunk Mania

Index time Search time


Take place between the point when the data is Take place while a search is run, as events are
consumed and the point when it is written to disk. collected by the search.

• Default field extraction (such as host, source, • Event segmentation (also happens at index
sourcetype, and timestamp) time)
• Static or dynamic host assignment for specific inputs • Event type matching
• Default host assignment overrides • Search-time field extraction (automatic and
• Source type customization custom field extractions, including multivalue
• Custom index-time field extraction fields and calculated fields)
• Structured data field extraction • Field aliasing
• Event timestamping • Addition of fields from lookups
• Event linebreaking • Source type renaming

Swipe
• Event segmentation (also happens at search time) • Tagging
Splunk Mania
How Index time extraction degrades
performance?
As a general rule, it is better to perform most knowledge-building
activities, such as field extraction, at search time. Index-time custom
field extraction can degrade performance at both index time and
search time. When you add to the number of fields extracted during
indexing, the indexing process slows. Later, searches on the index are
also slower, because the index has been enlarged by the additional
fields, and a search on a larger index takes longer. Swipe
Splunk Mania

Next:
How Indexing works in Splunk?

Reference :
https://docs.splunk.com/Documentation/Splunk/8.2.2/Indexer/Indextimeversussearchtime

You might also like