Hello folks,
I was wondering if you could help me with a dilemma about PERFORMANCE.
I'm normalizing fields in order to use them with Splunk Common Information Model (CIM) and I don't know if using the extraction method like this:
props.conf:
[(?::){0}opsec*]
REPORT-rule_as_rule_id = rule_as_rule_id
transforms.conf:
[rule_as_rule_id]
REGEX = rule=(\w+)
FORMAT = rule_id::$1
OR just use the FIELDALIAS like this:
props.conf:
[(?::){0}opsec*]
FIELDALIAS-opsec_cim_fields = rule_id as rule_id
Can you help me to understand what is the best method, if any?
Thank you in advance!
Field-aliases can be a bigger determent to performance. Martin_mueller (https://answers.splunk.com/users/134323/martin_mueller.html) could probably answer this better than I can with his fantastic .conf talk on the subject: http://conf.splunk.com/session/2015/conf2015_MMueller_Consist_Deploying_OptimizingSplunkKnowledge.pd...
My take-away is - I wouldn't spend a whole lot of time fixing existing sourcetypes, but if you're doing it for a new sourcetype then i'd utilize a regex.
Field-aliases can be a bigger determent to performance. Martin_mueller (https://answers.splunk.com/users/134323/martin_mueller.html) could probably answer this better than I can with his fantastic .conf talk on the subject: http://conf.splunk.com/session/2015/conf2015_MMueller_Consist_Deploying_OptimizingSplunkKnowledge.pd...
My take-away is - I wouldn't spend a whole lot of time fixing existing sourcetypes, but if you're doing it for a new sourcetype then i'd utilize a regex.
Thank you for your answer! I'll try this approach.