https://community.splunk.com/t5/Getting-Data-In/log-with-key-value-pair-or-transforms-conf-performance-diffrence/m-p/86562#M17985 <P>Well, as you've probably calculated, you'll save some license space - in this case like 40%. I cannot see any immediate downside to the approach - <EM>as long as you keep the number and order of fields constant</EM>. With key=value pairs, that is not relevant, as the extraction takes place automatically. </P> <P>You should probably set <CODE>KV_MODE=none</CODE> for this sourcetype in props.conf. </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf</A></P> <P>Whether a <CODE>REPORT</CODE> is faster than <CODE>KV_MODE=auto</CODE>... I don't know - perhaps a little.</P> <P>/K</P> Tue, 08 Oct 2013 08:36:27 GMT kristian_kolb 2013-10-08T08:36:27Z https://community.splunk.com/t5/Getting-Data-In/log-with-key-value-pair-or-transforms-conf-performance-diffrence/m-p/86561#M17984 <P>Hi,</P> <P>to gain index size I made the log format as below. I didn't use key value pair.</P> <P>20121101095842|192.168.1.2|KRQQQShcnQdRK8pLKTXC|20138494756382|I|PLAY|this the detailed info|1</P> <P>And in transforms.conf I defined the fields.<BR /> DELIMS="|"<BR /> FIELDS=time,sourceip,session_id,customer_id,channel,op_type,detail,result_code</P> <P>What if I made the log format like;</P> <P>time=20121101095842,sourceip=192.168.1.2,sessiın_id=KRQQQShcnQdRK8pLKTXC,customer_id=20138494756382,channel=I, op_type=PLAY, detail=this the detailed info|result_code=1</P> <P>Is there any performance diffrence between these two? a big diffrence in speed?</P> <P>thanks,</P> <P>a.</P> Mon, 28 Sep 2020 14:55:05 GMT https://community.splunk.com/t5/Getting-Data-In/log-with-key-value-pair-or-transforms-conf-performance-diffrence/m-p/86561#M17984 jazzythemartian 2020-09-28T14:55:05Z https://community.splunk.com/t5/Getting-Data-In/log-with-key-value-pair-or-transforms-conf-performance-diffrence/m-p/86562#M17985 <P>Well, as you've probably calculated, you'll save some license space - in this case like 40%. I cannot see any immediate downside to the approach - <EM>as long as you keep the number and order of fields constant</EM>. With key=value pairs, that is not relevant, as the extraction takes place automatically. </P> <P>You should probably set <CODE>KV_MODE=none</CODE> for this sourcetype in props.conf. </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf</A></P> <P>Whether a <CODE>REPORT</CODE> is faster than <CODE>KV_MODE=auto</CODE>... I don't know - perhaps a little.</P> <P>/K</P> Tue, 08 Oct 2013 08:36:27 GMT https://community.splunk.com/t5/Getting-Data-In/log-with-key-value-pair-or-transforms-conf-performance-diffrence/m-p/86562#M17985 kristian_kolb 2013-10-08T08:36:27Z https://community.splunk.com/t5/Getting-Data-In/log-with-key-value-pair-or-transforms-conf-performance-diffrence/m-p/86563#M17986 <P>REPORT with DELIMS is definitely faster if you turn off KV_MODE=auto for that type. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> I'm not sure if "properly configured" REPORT with DELIMS alone is faster than key=value pairs, however.</P> Tue, 08 Oct 2013 13:04:11 GMT https://community.splunk.com/t5/Getting-Data-In/log-with-key-value-pair-or-transforms-conf-performance-diffrence/m-p/86563#M17986 sowings 2013-10-08T13:04:11Z https://community.splunk.com/t5/Getting-Data-In/log-with-key-value-pair-or-transforms-conf-performance-diffrence/m-p/86564#M17987 <P>Naturally - having both is the worst <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Gut feeling says that REPORT + KV_MODE=none should be faster than KV_MODE=auto. Should be fewer, less complicated steps. Though for some searches the difference might not be even noticeable.</P> Mon, 28 Sep 2020 14:55:16 GMT https://community.splunk.com/t5/Getting-Data-In/log-with-key-value-pair-or-transforms-conf-performance-diffrence/m-p/86564#M17987 kristian_kolb 2020-09-28T14:55:16Z https://community.splunk.com/t5/Getting-Data-In/log-with-key-value-pair-or-transforms-conf-performance-diffrence/m-p/86565#M17988 <P>I agree with your gut.</P> Tue, 08 Oct 2013 14:00:02 GMT https://community.splunk.com/t5/Getting-Data-In/log-with-key-value-pair-or-transforms-conf-performance-diffrence/m-p/86565#M17988 sowings 2013-10-08T14:00:02Z