topic Re: Field extractions in Getting Data In

Field extractions

spulivarthi700 — Tue, 31 Mar 2026 17:46:48 GMT

Hey team,
If we want to reduce pressure on our Splunk indexers and our data is routing through Cribl, what does Splunk recommend?
Should all field extractions happen at the Cribl level before data reaches the indexers for any type of data, so the indexers don't need to do any parsing work?
What's the actual Splunk recommendation here ?

Re: Field extractions

gcusello — Wed, 01 Apr 2026 06:39:54 GMT

Hi @spulivarthi700 ,

the most field extractions are at search time, so the pressure is on Search Heads, not Indexers.

Anyway, in general, you can reduce jobs on Indexers, using one or more intermediate Heavy Forwarders that will parse your data, instead indexers.

but the question is: which Add-On are you using to parse cribl data?

because if you're using the Cribl Decrypt Add-On for Splunk, it hasn't any parsing rule.

Ciao.

Giuseppe

Re: Field extractions

PickleRick — Wed, 01 Apr 2026 07:58:00 GMT

With Splunk most extractions happen at search time. You can use indexed fields but it's not a recommended good practice. There are some specific use cases when indexed fields are OK but generally you should rather focus on fixing your searches.

And I suspect what you're trying to do is solve a completely different problem than the one you have - you're trying to change your "data infrastructure" while the system load issue is most probably caused by badly written searches (and possibly not properly managed users' workload).