https://community.splunk.com/t5/Getting-Data-In/Inline-field-extracted-vs-Transformation/m-p/323116#M60183 <P>They are the same except that <CODE>EXTRACT</CODE> is inlined so only exists in <CODE>props.conf</CODE> whereas <CODE>REPORT</CODE> is 2-part with half in <CODE>props.conf</CODE> and the other half in <CODE>transforms.conf</CODE>. If later extractions depend on other extractions, you should definitely use <CODE>REPORT</CODE> so that you can clearly control which ones happen first. Also, if you have the same extractions for multiple sourcetypes, it is easier to have a single copy in <CODE>transforms.conf</CODE> so that any changes/fixes to it are done on 1 line in 1 file instead of on multiple lines in multiple files. Honestly, <CODE>EXTRACT</CODE> is lazy; I always do <CODE>REPORT</CODE>; I cannot think of any real advantage to <CODE>EXTRACT</CODE>.</P> Thu, 23 Feb 2017 07:32:48 GMT woodcock 2017-02-23T07:32:48Z https://community.splunk.com/t5/Getting-Data-In/Inline-field-extracted-vs-Transformation/m-p/323115#M60182 <P>I am walking through the Cisco app and I noticed that there are a lot different ways fields are being extracted. It looks like there are many inline extractions and others referencing a transform, all in the props.conf, (EXTRACT vs REPORT). I have seen bits and pieces on what is the difference is between the two methods, but it still is unclear to me. </P> <P>My question is, what are the pros and cons of doing an inline EXTRACT versus doing a transformation and reference it with a REPORT in the props. conf, and vice versa.</P> Wed, 22 Feb 2017 22:21:36 GMT https://community.splunk.com/t5/Getting-Data-In/Inline-field-extracted-vs-Transformation/m-p/323115#M60182 cmeyers 2017-02-22T22:21:36Z https://community.splunk.com/t5/Getting-Data-In/Inline-field-extracted-vs-Transformation/m-p/323116#M60183 <P>They are the same except that <CODE>EXTRACT</CODE> is inlined so only exists in <CODE>props.conf</CODE> whereas <CODE>REPORT</CODE> is 2-part with half in <CODE>props.conf</CODE> and the other half in <CODE>transforms.conf</CODE>. If later extractions depend on other extractions, you should definitely use <CODE>REPORT</CODE> so that you can clearly control which ones happen first. Also, if you have the same extractions for multiple sourcetypes, it is easier to have a single copy in <CODE>transforms.conf</CODE> so that any changes/fixes to it are done on 1 line in 1 file instead of on multiple lines in multiple files. Honestly, <CODE>EXTRACT</CODE> is lazy; I always do <CODE>REPORT</CODE>; I cannot think of any real advantage to <CODE>EXTRACT</CODE>.</P> Thu, 23 Feb 2017 07:32:48 GMT https://community.splunk.com/t5/Getting-Data-In/Inline-field-extracted-vs-Transformation/m-p/323116#M60183 woodcock 2017-02-23T07:32:48Z https://community.splunk.com/t5/Getting-Data-In/Inline-field-extracted-vs-Transformation/m-p/323117#M60184 <P>Please in better understanding, what is the actual difference between prof.conf and transforms.conf file?</P> Fri, 19 Apr 2019 09:17:15 GMT https://community.splunk.com/t5/Getting-Data-In/Inline-field-extracted-vs-Transformation/m-p/323117#M60184 rita201 2019-04-19T09:17:15Z https://community.splunk.com/t5/Getting-Data-In/Inline-field-extracted-vs-Transformation/m-p/323118#M60185 <P>I never heard of <CODE>prof.conf</CODE> but in any case, you should ask your own new question.</P> Tue, 23 Apr 2019 05:09:29 GMT https://community.splunk.com/t5/Getting-Data-In/Inline-field-extracted-vs-Transformation/m-p/323118#M60185 woodcock 2019-04-23T05:09:29Z