https://community.splunk.com/t5/Deployment-Architecture/What-is-the-effect-of-annotate-punct-on-indexing-time/m-p/459839#M20254 <P>Our sales engineer said -</P> <P>PUNCT is exactly like it sounds; it’s an index-time field containing an ordered list of punctuations in an event. This is extremely useful for finding “patterns” of events; like a windows event where the service name and IP address would change but the event <EM>structure</EM> would remain the same.</P> <P>It’s used in the background by Splunk sometimes. Very useful for eventtype, tagging, etc.</P> <P>ANNOTATE_PUNCT in particular is a toggling switch for this setting. It’s on by default, but if you have;<BR /> 1. Extremely long events<BR /> 2. Extremely frequent events<BR /> 3. Events all of the same PUNCT pattern<BR /> 4. Events of all different PUNCT patterns</P> <P>Than turning it off will reduce indexer CPU load on the parsing queue in the indexing pipeline.</P> Wed, 07 Nov 2018 14:25:37 GMT ddrillic 2018-11-07T14:25:37Z https://community.splunk.com/t5/Deployment-Architecture/What-is-the-effect-of-annotate-punct-on-indexing-time/m-p/459838#M20253 <P>The architecting Splunk 7.1 Enterprise Deployments class empathizes that setting <CODE>annotate_punct = false</CODE> in <CODE>props.conf</CODE> at indexer-level can improve significantly the indexing time.</P> <P>I wonder why setting it like this can improve indexing time and in which cases we should keep the punctuations field. </P> Tue, 06 Nov 2018 23:47:39 GMT https://community.splunk.com/t5/Deployment-Architecture/What-is-the-effect-of-annotate-punct-on-indexing-time/m-p/459838#M20253 ddrillic 2018-11-06T23:47:39Z https://community.splunk.com/t5/Deployment-Architecture/What-is-the-effect-of-annotate-punct-on-indexing-time/m-p/459839#M20254 <P>Our sales engineer said -</P> <P>PUNCT is exactly like it sounds; it’s an index-time field containing an ordered list of punctuations in an event. This is extremely useful for finding “patterns” of events; like a windows event where the service name and IP address would change but the event <EM>structure</EM> would remain the same.</P> <P>It’s used in the background by Splunk sometimes. Very useful for eventtype, tagging, etc.</P> <P>ANNOTATE_PUNCT in particular is a toggling switch for this setting. It’s on by default, but if you have;<BR /> 1. Extremely long events<BR /> 2. Extremely frequent events<BR /> 3. Events all of the same PUNCT pattern<BR /> 4. Events of all different PUNCT patterns</P> <P>Than turning it off will reduce indexer CPU load on the parsing queue in the indexing pipeline.</P> Wed, 07 Nov 2018 14:25:37 GMT https://community.splunk.com/t5/Deployment-Architecture/What-is-the-effect-of-annotate-punct-on-indexing-time/m-p/459839#M20254 ddrillic 2018-11-07T14:25:37Z https://community.splunk.com/t5/Deployment-Architecture/What-is-the-effect-of-annotate-punct-on-indexing-time/m-p/459840#M20255 <P>It seems to me that most log files would fall under the 3 category - <EM>Events all of the same PUNCT pattern</EM>.</P> Wed, 07 Nov 2018 14:41:51 GMT https://community.splunk.com/t5/Deployment-Architecture/What-is-the-effect-of-annotate-punct-on-indexing-time/m-p/459840#M20255 ddrillic 2018-11-07T14:41:51Z