index time field extraction

grodaas — Thu, 30 Aug 2012 07:55:21 GMT

When I do index time field extraction will Splunk create a new separate index for the values in the extracted field ( For example a B-tree index) or will Splunk add key=value pairs as keywords to the existing full-text indexes found in the *.tsidx files?

Re: index time field extraction

lguinn2 — Mon, 03 Sep 2012 07:58:26 GMT

Splunk adds key-value pairs. Unless you have a very specific (and unusual) situation, index time field extraction will not improve performance. However, it is more complex, more error-prone and inflexible. This is why Splunk strongly encourages you to use search time field extractions. Index time field extraction is not faster - with very rare exceptions. Do not use it unless you must.

Splunk field extractions and Splunk indexing are not the same as relational database indexes. They are not remotely equivalent from a functional configuration perspective.

Did I say "don't use index time field extraction" often enough? I can say it again...

Also see this answer: Search-time versus index-time field extractions

topic index time field extraction in Getting Data In

index time field extraction

Re: index time field extraction