https://community.splunk.com/t5/Splunk-Search/What-is-the-difference-between-index-time-extractions-and-search/m-p/421416#M167138 <P>Hi , </P> <P>It was mentioned earlier by Stephen Sorkin [Splunk] ♦ in one of his answers. I am just coping this remark on the same. i find it really useful</P> <P>In general, we recommend search-time extractions rather than index-time extractions. There are relatively few cases where index-time extractions are better, and they come at the cost of brittleness of configuration and an increase in index size (which in turn makes searches slower).</P> <P>The distinction in the UI of "uses transform" vs. inline doesn't have anything to do with search-time vs index-time. It is referring to where the regex itself is stored: in an EXTRACT- line in props.conf (for inline) as opposed to in a REPORT- line that refers to a stanza in transforms.conf (for uses transform).</P> <P>Index time extractions are also set in props.conf and transforms.conf by means of the TRANSFORM- line. Again, they should rarely be used. They are appropriate when the heuristic of search for the value of the field fails (either because the value is ubiquitous outside of cases where the field equals the value, or because the value isn't an indexed token) or when you commonly search for field!=value without other terms to constrain the search.</P> <P>Link of the answer : <A href="https://answers.splunk.com/answers/5817/search-time-versus-index-time-field-extractions.html">https://answers.splunk.com/answers/5817/search-time-versus-index-time-field-extractions.html</A></P> Wed, 10 Oct 2018 18:53:05 GMT iamarkaprabha 2018-10-10T18:53:05Z https://community.splunk.com/t5/Splunk-Search/What-is-the-difference-between-index-time-extractions-and-search/m-p/421411#M167133 <P>My question is what is the difference between an index time extraction and a search time extraction? Can anyone explain with some simple examples?</P> <P>I have tried to read this :</P> <P>one:<A href="https://docs.splunk.com/Documentation/Splunk/7.1.3/Indexer/Indextimeversussearchtime">https://docs.splunk.com/Documentation/Splunk/7.1.3/Indexer/Indextimeversussearchtime</A>, but i stil cant understand.</P> Tue, 09 Oct 2018 19:03:59 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-difference-between-index-time-extractions-and-search/m-p/421411#M167133 aatha89 2018-10-09T19:03:59Z https://community.splunk.com/t5/Splunk-Search/What-is-the-difference-between-index-time-extractions-and-search/m-p/421412#M167134 <P>I'm not going to be able to explain much myself but maybe something in one of these will help?</P> <P><A href="https://answers.splunk.com/answers/5817/search-time-versus-index-time-field-extractions.html">https://answers.splunk.com/answers/5817/search-time-versus-index-time-field-extractions.html</A><BR /> <A href="https://answers.splunk.com/answers/151939/how-do-index-and-search-time-field-extractions-differ-and-which-is-better-for-search-performance.html">https://answers.splunk.com/answers/151939/how-do-index-and-search-time-field-extractions-differ-and-which-is-better-for-search-performance.html</A><BR /> <A href="https://answers.splunk.com/answers/396276/should-i-use-an-index-time-field-extraction.html">https://answers.splunk.com/answers/396276/should-i-use-an-index-time-field-extraction.html</A></P> Tue, 09 Oct 2018 19:59:52 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-difference-between-index-time-extractions-and-search/m-p/421412#M167134 kmaron 2018-10-09T19:59:52Z https://community.splunk.com/t5/Splunk-Search/What-is-the-difference-between-index-time-extractions-and-search/m-p/421413#M167135 <P>Index time extractions are the field extractions done at the indexer end when the data is indexed.<BR /> Search time extractions are field extractions at Search Heads done at the search time for eg. extracting a field using rex command in your search or defining field extractions on search heads.</P> Tue, 09 Oct 2018 20:08:59 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-difference-between-index-time-extractions-and-search/m-p/421413#M167135 Vijeta 2018-10-09T20:08:59Z https://community.splunk.com/t5/Splunk-Search/What-is-the-difference-between-index-time-extractions-and-search/m-p/421414#M167136 <P>splunk will create some default (metadata) fields such as <CODE>_time, host, index, source, sourcetype</CODE> etc and write those to disk on the file system along with the raw log event string</P> <P>example raw log: <CODE>time=1539116213 user=mary host=laptop ip=192.168.0.1</CODE></P> <P>when you run the query <CODE>index=main user=mary host=laptop</CODE> splunk performs search time field extractions on the raw log looking for matches to your search for those fields that are not metadata and/or indexed and written to file system disk field value pairs</P> <P>index time extractions are field value pairs written to disk just like the metadata fields but for the most part this is unnecessary and results greater disk usage on your indexers without providing additional benefit</P> <P>there are of course use-cases for, and exceptions to, all of this</P> Tue, 09 Oct 2018 20:32:46 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-difference-between-index-time-extractions-and-search/m-p/421414#M167136 marycordova 2018-10-09T20:32:46Z https://community.splunk.com/t5/Splunk-Search/What-is-the-difference-between-index-time-extractions-and-search/m-p/421415#M167137 <P>*<EM>Index time Field extraction - *</EM></P> <UL> <LI><P>It happens at index time when splunk indexes data.</P></LI> <LI><P>At index time, it extracts some default fields like source, source types and hosts. </P></LI> <LI><P>We can also define our custom source types, hosts so that it tags events with them.</P></LI> </UL> <P>*<EM>Search time field extraction- *</EM></P> <UL> <LI><P>It happens at search time when we search through data. </P></LI> <LI><P>It can extract additional fields other than default fields depending on its search settings. </P></LI> <LI><P>It includes aliasing, tagging, addition of fields from lookup. But here, you cannot change host or source type assignments. </P></LI> </UL> <P>Hope i am able to answer your question properly <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 10 Oct 2018 06:17:16 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-difference-between-index-time-extractions-and-search/m-p/421415#M167137 nilbak1 2018-10-10T06:17:16Z https://community.splunk.com/t5/Splunk-Search/What-is-the-difference-between-index-time-extractions-and-search/m-p/421416#M167138 <P>Hi , </P> <P>It was mentioned earlier by Stephen Sorkin [Splunk] ♦ in one of his answers. I am just coping this remark on the same. i find it really useful</P> <P>In general, we recommend search-time extractions rather than index-time extractions. There are relatively few cases where index-time extractions are better, and they come at the cost of brittleness of configuration and an increase in index size (which in turn makes searches slower).</P> <P>The distinction in the UI of "uses transform" vs. inline doesn't have anything to do with search-time vs index-time. It is referring to where the regex itself is stored: in an EXTRACT- line in props.conf (for inline) as opposed to in a REPORT- line that refers to a stanza in transforms.conf (for uses transform).</P> <P>Index time extractions are also set in props.conf and transforms.conf by means of the TRANSFORM- line. Again, they should rarely be used. They are appropriate when the heuristic of search for the value of the field fails (either because the value is ubiquitous outside of cases where the field equals the value, or because the value isn't an indexed token) or when you commonly search for field!=value without other terms to constrain the search.</P> <P>Link of the answer : <A href="https://answers.splunk.com/answers/5817/search-time-versus-index-time-field-extractions.html">https://answers.splunk.com/answers/5817/search-time-versus-index-time-field-extractions.html</A></P> Wed, 10 Oct 2018 18:53:05 GMT https://community.splunk.com/t5/Splunk-Search/What-is-the-difference-between-index-time-extractions-and-search/m-p/421416#M167138 iamarkaprabha 2018-10-10T18:53:05Z