topic Re: moving from indexed time _json to search time in Getting Data In

moving from indexed time _json to search time

Skins — Tue, 26 Feb 2019 00:05:06 GMT

We are using a lot of indexed time _json sourcetypes on our heavy forwarder for file inputs and HTTP event collector.

Would it be recommended to move to search time field extraction ?

What would the steps be from the heavy forwarder to the search head cluster ?

gratzi

Re: moving from indexed time _json to search time

tiagofbmm — Tue, 29 Sep 2020 23:21:09 GMT

Indexed Time extractions will increase the size of your tsidx files because Splunk will need to keep the structure fixed on those sourcetypes.

In general, Search Time is the recommended way for agility, freedom, manageability of future changes, correcting errors and improvements/evolution on what you want to get from your sourcetypes.

If you don't want INDEXED_EXTRACTIONS on your json, you just need to remove the INDEXED_EXTRACTIONS=JSON in your props.conf for the referred sourcetypes on the HF.

Then configure either partial extractions in the Search Head, under your sourcetype in props:

EXTRACT-global = "\"id: \"(?<id>[^\"]*)"

Or as @FrankVl mentions below , just get them all again with KV_MODE=json

For JSON, the INDEXED_EXTRACTIONS or KV_MODE=json are pretty useful, so I wouldn't suggest doing all this parsing by yourself here, unless you are only aiming to extract a very small contained portion of the full events

Re: moving from indexed time _json to search time

FrankVl — Tue, 26 Feb 2019 10:45:57 GMT

No need to specify all the extractions like that right. You can also just set KV_MODE = json in your props.conf to enable automatic search time json extractions.

Just make sure you don't have both KV_MODE = json and INDEXED_EXTRACTIONS=JSON enabled, because then you get all field values twice.

Re: moving from indexed time _json to search time

tiagofbmm — Tue, 26 Feb 2019 10:50:55 GMT

Yes totally agree @FrankVl , KV_MODE = json get's you all of those fields on search time