https://community.splunk.com/t5/Splunk-Search/What-are-some-of-the-best-practices-for-field-extractions/m-p/413222#M119148 <P>It's pretty straight-forward:</P> <P>field1=value1 field2=value2 field3=value3</P> <P>The sourcetype is configured with KVMODE=auto. We also have an app on the search-head, which also does extractions against this sourcetype, using transforms. IMO, the app isn't needed, unless there's some need for it with CIM/ES, which I'm really just getting familiar with. </P> Mon, 20 Aug 2018 16:05:36 GMT a212830 2018-08-20T16:05:36Z https://community.splunk.com/t5/Splunk-Search/What-are-some-of-the-best-practices-for-field-extractions/m-p/413220#M119146 <P>Hi,</P> <P>There is some debate in our group regarding best practices for field extractions. We have a feed that has well defined key-value fields. We also have field extractions setup on the SH, for a number of these fields. Is there a really a need for the field extractions, since key-value pairs will get picked up automatically? Pros/cons? We use CIM/ES extensively. </P> Mon, 20 Aug 2018 15:38:13 GMT https://community.splunk.com/t5/Splunk-Search/What-are-some-of-the-best-practices-for-field-extractions/m-p/413220#M119146 a212830 2018-08-20T15:38:13Z https://community.splunk.com/t5/Splunk-Search/What-are-some-of-the-best-practices-for-field-extractions/m-p/413221#M119147 <P>It depends on the sourcetype definition. If the sourcetype is handling the extractions natively then you are slowing things down by adding more search time extractions.</P> <P>Sounds like we might need an example... </P> Mon, 20 Aug 2018 16:00:35 GMT https://community.splunk.com/t5/Splunk-Search/What-are-some-of-the-best-practices-for-field-extractions/m-p/413221#M119147 sloshburch 2018-08-20T16:00:35Z https://community.splunk.com/t5/Splunk-Search/What-are-some-of-the-best-practices-for-field-extractions/m-p/413222#M119148 <P>It's pretty straight-forward:</P> <P>field1=value1 field2=value2 field3=value3</P> <P>The sourcetype is configured with KVMODE=auto. We also have an app on the search-head, which also does extractions against this sourcetype, using transforms. IMO, the app isn't needed, unless there's some need for it with CIM/ES, which I'm really just getting familiar with. </P> Mon, 20 Aug 2018 16:05:36 GMT https://community.splunk.com/t5/Splunk-Search/What-are-some-of-the-best-practices-for-field-extractions/m-p/413222#M119148 a212830 2018-08-20T16:05:36Z https://community.splunk.com/t5/Splunk-Search/What-are-some-of-the-best-practices-for-field-extractions/m-p/413223#M119149 <P>Yea...def straightforward. My guess is your hunch: a case of over engineering. While they may have considered it benign, it def would produce redundant processing and marginally slow down the Search Head processing.</P> <P>If I were you, here's what I would do to validate:</P> <UL> <LI>Export a sample of the data to my local sandbox and index it there showing that the name/value pairs are available out of the box</LI> <LI>Comment out the related reference to the transforms that exists in props (but not the transforms itself as it might be used by other sourcetypes) and see if it still works</LI> <LI>Change <CODE>KV_MODE</CODE> from auto to <CODE>auto_escaped</CODE>. See <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Field_extraction_configuration">props.conf.spec</A></LI> </UL> <P>To be safe, you might as well share what the transforms is. You mentioned KV_MODE which is props. But let's be sure about what the purpose of the related transforms is.</P> <P>Also, it could be the case that in your environment, someone erroneously edited the default KV_MODE thereby obligating any sourcetype to need such over-the-top extra config.</P> Wed, 22 Aug 2018 13:30:10 GMT https://community.splunk.com/t5/Splunk-Search/What-are-some-of-the-best-practices-for-field-extractions/m-p/413223#M119149 sloshburch 2018-08-22T13:30:10Z