All Apps and Add-ons

Would you recommend regex extraction vs rex SPL and why ?

gwcon
Path Finder

I am learning Splunk and i can see there are two common ways regex is being used for generating fields. Either using the rex command or the field extractions technique or via rex SPL command. I am wondering if there is a benefit for using the regex extraction over the rex SPL. In my view this is not efficient as the regex extraction will do the regex on all logs coming in and the rex command only of the SPL range used which uses up less resources ?

Am i wrong thinking this way ? Can you explain me why ?

Thanks in advance!

0 Karma
1 Solution

to4kawa
Ultra Champion

see https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutfields

I think regex extraction(you say) is useful for searching. Default fields are not enough for search.
rex is useful. However, constant use consumes search time and makes it difficult to create SPL.

props.conf and transforms.conf are difficult to understand and make.
Let's learn them.

View solution in original post

woodcock
Esteemed Legend

You can use the Field Extraction GUI tool in the Add Data Wizard and it is OK but like any Easy Button thing, you should also use it as a learning opportunity. The same thing with erex. Your SPL should never be saved anywhere with erex in it. Learn from it and switch to rex or better yet create an automatic Field Extraction. IMHO all of your stuff should be saved as automatic Field Extractions (as Transforms so that you can easily recycle them) against a sourcetype so that they are "just there" in every search. You can always turn them off by doing Fast Mode.

to4kawa
Ultra Champion

see https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutfields

I think regex extraction(you say) is useful for searching. Default fields are not enough for search.
rex is useful. However, constant use consumes search time and makes it difficult to create SPL.

props.conf and transforms.conf are difficult to understand and make.
Let's learn them.

gwcon
Path Finder

Great answer, thanks. All answers are obviously accepted!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gwcon,
for my knowledge, the real question is: do you need to use your field once or more times?
if you need to use the field once (in only one search), you can use rex command in SPL or create a field, it's the same thing; even if I prefer field extraction to have a leaner SPL code.
If instead you have to use the field extraction in more searches there's only one answer to the question: field extraction.

Ciao.
Giuseppe

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...