https://community.splunk.com/t5/Getting-Data-In/Are-there-performance-benefits-to-placing-the-timestamp-at-the/m-p/458579#M79252 <P>That's a good approach. The docs team is great about chasing down answers to questions raised by the docs.</P> Wed, 07 Nov 2018 12:25:10 GMT richgalloway 2018-11-07T12:25:10Z https://community.splunk.com/t5/Getting-Data-In/Are-there-performance-benefits-to-placing-the-timestamp-at-the/m-p/458576#M79249 <H2>Background</H2> <P>I forward data to Splunk in JSON Lines format with the event timestamp as the first field of each line:</P> <PRE><CODE>{"time":"2018-11-02T23:59:30.123456Z","type":"xyz", ... </CODE></PRE> <P>Here is the corresponding <CODE>props.conf</CODE> stanza:</P> <PRE><CODE>[myapp] SHOULD_LINEMERGE = false KV_MODE = json TIME_PREFIX = {\"time\":\" # Time stamp: # - ISO 8601 extended format # - Seconds to a maximum precision of 6 decimal places # - With zone designator TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%:z </CODE></PRE> <P>This works.</P> <P>Recently, a colleague who is designing the JSON Lines output for a new project, where the data will also be forwarded to Splunk, queried two aspects of what I have just described:</P> <UL> <LI>The position of the timestamp at the start of each line. The colleague proposed outputting fields in alphabetical order; <CODE>"time"</CODE> would be towards the end of each line.</LI> <LI>The lack of a "start of line" anchor (^) at the start of the <CODE>TIME_PREFIX</CODE> value.</LI> </UL> <P>These queries from my colleague prompted me to revisit the corresponding settings in Splunk and to ask the following questions here...</P> <P>(Note: I am <EM>not</EM> talking about the order in which JSON parsers process properties. I don't believe that issue is relevant here, in the context of Splunk timestamp recognition.)</P> <H2>Questions</H2> <H3>Are there performance benefits to placing the timestamp at the start of input event data?</H3> <P>(As opposed to placing <CODE>"time"</CODE> later in each line.)</P> <P>I thought the answer was "yes", but, after carefully re-reading the related Splunk docs, I'm no longer sure.</P> <P>I had previously thought that Splunk scanned each line from left to right for the first match for the <CODE>TIME_PREFIX</CODE> regex.</P> <P>However, based on what my colleague tells me about regex processing in environments outside of Splunk, I suspect I've been naive about that strict "left to right" assumption. Which leads to my next question...</P> <H3>Would adding a start of line anchor (^) to my regex improve performance?</H3> <P>Like this:</P> <PRE><CODE>TIME_PREFIX = ^{\"time\":\" </CODE></PRE> <P>I'm asking because I previously thought—perhaps naively—that this anchor would be redundant, because Splunk searched the input line from left to right anyway.</P> <H3>Would setting <CODE>MAX_TIMESTAMP_LOOKAHEAD</CODE> offer any performance benefits?</H3> <P>If so, how, exactly? (To "abort" reading malformed/garbled input lines sooner rather than later?)</P> <P>The default value of 128 exceeds the longest possible time stamp value; I could reduce it to match that longest possible value.</P> <H3>What are the optimal <CODE>props.conf</CODE> settings for timestamp recognition in this case?</H3> <P>This is really just a "catch-all" in case I missed any issues in my earlier, more specific questions.</P> <P>For example, given that, in this case, the timestamp is only a few characters into the line, would it be more performant to <EM>not</EM> specify <CODE>TIME_PREFIX</CODE>, and instead let Splunk scan through those first few characters without any <CODE>TIME_PREFIX</CODE>-related regex processing? (And also specify <CODE>MAX_TIMESTAMP_LOOKAHEAD</CODE>.)</P> Fri, 02 Nov 2018 06:30:03 GMT https://community.splunk.com/t5/Getting-Data-In/Are-there-performance-benefits-to-placing-the-timestamp-at-the/m-p/458576#M79249 Graham_Hanningt 2018-11-02T06:30:03Z https://community.splunk.com/t5/Getting-Data-In/Are-there-performance-benefits-to-placing-the-timestamp-at-the/m-p/458577#M79250 <P>Last question first, one should always specify <CODE>TIME_PREFIX</CODE> and <CODE>TIME_FORMAT</CODE>. This keeps Splunk from guessing about your data and is slightly more performant.<BR /> Use of the <CODE>^</CODE> character does not improve performance, AFAIK. I tend to use it only if the timestamp is the first character of a line. I would suggest removing <CODE>{</CODE> from your <CODE>TIME_PREFIX</CODE> setting just in case the timestamp is not the first field.<BR /> I have no information to prove putting the timestamp at the beginning of a line performs better, just a hunch that it does.</P> Fri, 02 Nov 2018 11:19:30 GMT https://community.splunk.com/t5/Getting-Data-In/Are-there-performance-benefits-to-placing-the-timestamp-at-the/m-p/458577#M79250 richgalloway 2018-11-02T11:19:30Z https://community.splunk.com/t5/Getting-Data-In/Are-there-performance-benefits-to-placing-the-timestamp-at-the/m-p/458578#M79251 <BLOCKQUOTE> <P>I have no information to prove putting the timestamp at the beginning of a line performs better, just a hunch that it does.</P> </BLOCKQUOTE> <P>I appreciate your answer (thanks!), but I will admit I was hoping for more than a hunch. I have that same hunch.</P> <P>I'm hoping that the Splunk devs will step in and answer. They have "inside information"—they know the code path—whereas I must rely on information I can gather externally, performing tests and measuring the results. I don't really have the time to do that properly, but it's looking like I'll need to make time if I want a fact-based answer.</P> <P>I've submitted feedback on the Splunk docs topic "<A href="https://docs.splunk.com/Documentation/Splunk/latest/Data/Tunetimestampextractionforbetterindexingperformance">Tune timestamp recognition for better indexing performance</A>", which you'd think might answer these questions, but doesn't. From that topic:</P> <BLOCKQUOTE> <P>To speed up indexing, you can use props.conf to adjust how far ahead into events the Splunk timestamp processor looks</P> </BLOCKQUOTE> <P>The topic goes on to mention <CODE>MAX_TIMESTAMP_LOOKAHEAD</CODE>, but not <CODE>TIME_PREFIX</CODE>.</P> <P>Perhaps my feedback on that topic might prompt the Splunk devs or writers to address this question.</P> Wed, 07 Nov 2018 03:37:37 GMT https://community.splunk.com/t5/Getting-Data-In/Are-there-performance-benefits-to-placing-the-timestamp-at-the/m-p/458578#M79251 Graham_Hanningt 2018-11-07T03:37:37Z https://community.splunk.com/t5/Getting-Data-In/Are-there-performance-benefits-to-placing-the-timestamp-at-the/m-p/458579#M79252 <P>That's a good approach. The docs team is great about chasing down answers to questions raised by the docs.</P> Wed, 07 Nov 2018 12:25:10 GMT https://community.splunk.com/t5/Getting-Data-In/Are-there-performance-benefits-to-placing-the-timestamp-at-the/m-p/458579#M79252 richgalloway 2018-11-07T12:25:10Z