https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-efficiency-for-transaction-command/m-p/373534#M1139 <P>HI Splunkers,</P> <P>We do have proofpoint logs which we are combining based on the common field with the help of transaction command. <BR /> Also we don't have proper field extraction in place so we are planning to create one either with splunk extraction options or with manual regex after the transaction command.</P> <P>Which one will be good/efficient way,<BR /><BR /> 1) combining the common fields with transaction command and then writing regex as a whole<BR /> Or 2) Extracting the fields individually with splunk extraction method and then going with transaction</P> <P>Please advice</P> Wed, 04 Oct 2017 06:38:31 GMT renjujacob88 2017-10-04T06:38:31Z https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-efficiency-for-transaction-command/m-p/373534#M1139 <P>HI Splunkers,</P> <P>We do have proofpoint logs which we are combining based on the common field with the help of transaction command. <BR /> Also we don't have proper field extraction in place so we are planning to create one either with splunk extraction options or with manual regex after the transaction command.</P> <P>Which one will be good/efficient way,<BR /><BR /> 1) combining the common fields with transaction command and then writing regex as a whole<BR /> Or 2) Extracting the fields individually with splunk extraction method and then going with transaction</P> <P>Please advice</P> Wed, 04 Oct 2017 06:38:31 GMT https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-efficiency-for-transaction-command/m-p/373534#M1139 renjujacob88 2017-10-04T06:38:31Z https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-efficiency-for-transaction-command/m-p/373535#M1140 <P>Hi,</P> <P>Option #2 is smarter, as you work on the events.<BR /> But first I would check if transaction can be replaced by the much faster "stats" command, as its a streaming command.<BR /> In combination with #2 you can pre-filter the data and then add the stats.</P> <P>Kind regards,<BR /> Jens</P> Wed, 04 Oct 2017 06:58:34 GMT https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-efficiency-for-transaction-command/m-p/373535#M1140 JensT 2017-10-04T06:58:34Z https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-efficiency-for-transaction-command/m-p/373536#M1141 <P>Hi,</P> <P>you want to use field extractions <STRONG>before</STRONG> you do your Splunk search with a transaction.<BR /> Also, if you have fields already, you can as well use the <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Stats">stats</A> function (or <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Tstats">tstats</A> for even faster queries, but no raw data).<BR /> Stats should be preferred to transactions, it is more efficient.</P> <P>Skalli</P> Wed, 04 Oct 2017 07:03:34 GMT https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-efficiency-for-transaction-command/m-p/373536#M1141 skalliger 2017-10-04T07:03:34Z https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-efficiency-for-transaction-command/m-p/373537#M1142 <P>Proofpoint now has a beta app that will allow you report on and visualze your Proofpoint Protection Server and TAP data! Check out the new app here:</P> <P><A href="https://splunkbase.splunk.com/app/3727/#/details">https://splunkbase.splunk.com/app/3727/#/details</A></P> <P>Be sure to follow the instructions listed in the details to get all the needed TA's etc that the app needs to work correctly.</P> Mon, 09 Oct 2017 21:41:20 GMT https://community.splunk.com/t5/Splunk-Enterprise/Field-extraction-efficiency-for-transaction-command/m-p/373537#M1142 eckolp2003 2017-10-09T21:41:20Z