https://community.splunk.com/t5/Splunk-Enterprise-Security/Field-Extraction-for-different-types-of-data/m-p/489347#M8202 <OL> <LI><P>Field extraction settings for structured data must be configured on the forwarder.</P></LI> <LI><P>If structured data has fields then those are automatically extracted. If not then <EM>FIELD_NAMES</EM> attribute can be configured in props.conf to set field names.</P></LI> <LI><P>For structured data all the fields in data are extracted during index time only.</P></LI> <LI><P>For unstructured data it's better to extract data during search time as Splunk doc says:</P></LI> </OL> <P>####Index-time custom field extraction can degrade performance at both index time and search time. When you add to the number of fields extracted during indexing, the indexing process slows. Later, searches on the index are also slower, because the index has been enlarged by the additional fields, and a search on a larger index takes longer. You can avoid such performance issues by instead relying on search-time field extraction. </P> Sun, 08 Mar 2020 14:41:14 GMT manjunathmeti 2020-03-08T14:41:14Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Field-Extraction-for-different-types-of-data/m-p/489345#M8200 <P>Hi Splunkers,</P> <P>Splunk suggests to extract fields at forwarders for structured data, why? and what if i have field names in the log / no filed field names in the log?</P> <P>I have a confusion that whether my license usage get affected by structured field extraction at index time/ at forwarders.<BR /> I understand that splunk license counts against what you index , so if i do indexed field extractions then those field value pairs will be added to _raw and cause license usage, is that correct?</P> <P>For unstructured data Splunk suggests us to do extraction at search time?.</P> <P>I'm clear with these but sometimes not,.</P> <P>any advises will be appreciated..</P> <P>Pramodh B</P> Sun, 08 Mar 2020 11:29:53 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Field-Extraction-for-different-types-of-data/m-p/489345#M8200 PramodhKumar 2020-03-08T11:29:53Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Field-Extraction-for-different-types-of-data/m-p/489346#M8201 <P>It has nothing to do with license because you are metered for that with length of <CODE>_raw</CODE> in bytes.</P> <P>First, that guidance is overly-smplistic to the point of being fallacious; please post a followup comment here with the URL where you read that so that I can submit some feedback.</P> <P>The MAIN reason that this advice is wrong is because it will lead people to the very bad and generally <EM>WRONG</EM> decision to use <CODE>Heavy Forwarders</CODE> (which can do every kind of <CODE>index-time</CODE> field extractions) instead of <CODE>Universal Forwarders</CODE>: <A href="https://www.splunk.com/en_us/blog/tips-and-tricks/universal-or-heavy-that-is-the-question.html">https://www.splunk.com/en_us/blog/tips-and-tricks/universal-or-heavy-that-is-the-question.html</A></P> <P>Another reason it is wrong is because <CODE>index-time</CODE> field extractions consume a significant amount of disk space, often for no actual benefit (nobody is <CODE>tstats</CODE>ing them).</P> <P>Also, the only sensible way to do <CODE>index-time</CODE> field extractions on a <CODE>Universal Forwarder</CODE> is with <CODE>INDEXED_EXTRACTIONS</CODE> which should generally be avoided because it is "all or none".</P> <P>The only shred of this advice that is true is the universal distributed architecture rule that, all other considerations being equal (note my previously voiced inequalities above) as much as possible should be done at the leaves of the tree.</P> Sun, 08 Mar 2020 14:26:04 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Field-Extraction-for-different-types-of-data/m-p/489346#M8201 woodcock 2020-03-08T14:26:04Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Field-Extraction-for-different-types-of-data/m-p/489347#M8202 <OL> <LI><P>Field extraction settings for structured data must be configured on the forwarder.</P></LI> <LI><P>If structured data has fields then those are automatically extracted. If not then <EM>FIELD_NAMES</EM> attribute can be configured in props.conf to set field names.</P></LI> <LI><P>For structured data all the fields in data are extracted during index time only.</P></LI> <LI><P>For unstructured data it's better to extract data during search time as Splunk doc says:</P></LI> </OL> <P>####Index-time custom field extraction can degrade performance at both index time and search time. When you add to the number of fields extracted during indexing, the indexing process slows. Later, searches on the index are also slower, because the index has been enlarged by the additional fields, and a search on a larger index takes longer. You can avoid such performance issues by instead relying on search-time field extraction. </P> Sun, 08 Mar 2020 14:41:14 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Field-Extraction-for-different-types-of-data/m-p/489347#M8202 manjunathmeti 2020-03-08T14:41:14Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Field-Extraction-for-different-types-of-data/m-p/489348#M8203 <P>Thank you, </P> <P>All your suggestions are good, I really appreciate your effort.</P> <P>My question is what does INDEXED_EXTRACTIONS do at UF, lets say I have a csv file having 20 lines, no field names.<BR /> I did INDEXED_EXTRACTIONS at UF now what exactly my forwarder sends to Indexer? That's all...</P> <P>My doubt is if UF forwards _raw + new field vales then while passing throgh index pipeline, does it counts all?</P> <P>There are 4 pipelines - Parsing-Mergine-Typing-Index , license metered at last pipeline, is that correct when data being written to disk?</P> <P>Can you please elaborate on precedence of props attributes vs license meter.</P> <P>Pramodh</P> Wed, 30 Sep 2020 04:31:40 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Field-Extraction-for-different-types-of-data/m-p/489348#M8203 PramodhKumar 2020-09-30T04:31:40Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Field-Extraction-for-different-types-of-data/m-p/489349#M8204 <P>Thank you,</P> <P>I appreciate your efforts here.</P> <OL> <LI>why splunk suggests to extarct fields at search time, is this same for structured/unstructured?</LI> <LI>What if I do extraction during index-time for unstructured data? license usage?</LI> <LI>I didn't understand, this in comparison to your 1st point.</LI> <LI>This is clear.</LI> </OL> <P>Pramodh</P> Sun, 08 Mar 2020 15:42:53 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Field-Extraction-for-different-types-of-data/m-p/489349#M8204 PramodhKumar 2020-03-08T15:42:53Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Field-Extraction-for-different-types-of-data/m-p/489350#M8205 <OL> <LI>Refer point 4. This is same for both structured and unstructured.</LI> <LI>License is measured based on the amount of raw data that the indexer ingests into its indexing pipeline. Basically it is counted against _raw data.</LI> <LI>Actually parsing , merging and typing for structured data happens in forwarder only and indexing happens in indexer server.</LI> </OL> Sun, 08 Mar 2020 16:16:51 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Field-Extraction-for-different-types-of-data/m-p/489350#M8205 manjunathmeti 2020-03-08T16:16:51Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Field-Extraction-for-different-types-of-data/m-p/489351#M8206 <P>There is no impact on license, only disk and CPU.</P> Sun, 08 Mar 2020 17:14:38 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Field-Extraction-for-different-types-of-data/m-p/489351#M8206 woodcock 2020-03-08T17:14:38Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Field-Extraction-for-different-types-of-data/m-p/489352#M8207 <P>what is the splunk DB connetion?</P> Sun, 08 Mar 2020 17:47:17 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Field-Extraction-for-different-types-of-data/m-p/489352#M8207 valishaik 2020-03-08T17:47:17Z