I am learning Splunk and i can see there are two common ways regex is being used for generating fields. Either using the rex command or the field extractions technique or via rex SPL command. I am wondering if there is a benefit for using the regex extraction over the rex SPL. In my view this is not efficient as the regex extraction will do the regex on all logs coming in and the rex command only of the SPL range used which uses up less resources ?
Am i wrong thinking this way ? Can you explain me why ?
Thanks in advance!
see https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutfields
I think regex extraction
(you say) is useful for searching. Default fields are not enough for search.
rex
is useful. However, constant use consumes search time and makes it difficult to create SPL.
props.conf and transforms.conf are difficult to understand and make.
Let's learn them.
You can use the Field Extraction GUI
tool in the Add Data Wizard
and it is OK but like any Easy Button
thing, you should also use it as a learning opportunity. The same thing with erex
. Your SPL
should never be saved anywhere with erex
in it. Learn from it and switch to rex
or better yet create an automatic Field Extraction
. IMHO all of your stuff should be saved as automatic Field Extractions
(as Transforms
so that you can easily recycle them) against a sourcetype
so that they are "just there" in every search. You can always turn them off by doing Fast Mode
.
see https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutfields
I think regex extraction
(you say) is useful for searching. Default fields are not enough for search.
rex
is useful. However, constant use consumes search time and makes it difficult to create SPL.
props.conf and transforms.conf are difficult to understand and make.
Let's learn them.
Great answer, thanks. All answers are obviously accepted!
Hi @gwcon,
for my knowledge, the real question is: do you need to use your field once or more times?
if you need to use the field once (in only one search), you can use rex command in SPL or create a field, it's the same thing; even if I prefer field extraction to have a leaner SPL code.
If instead you have to use the field extraction in more searches there's only one answer to the question: field extraction.
Ciao.
Giuseppe