All Apps and Add-ons

Would you recommend regex extraction vs rex SPL and why ?

Path Finder

I am learning Splunk and i can see there are two common ways regex is being used for generating fields. Either using the rex command or the field extractions technique or via rex SPL command. I am wondering if there is a benefit for using the regex extraction over the rex SPL. In my view this is not efficient as the regex extraction will do the regex on all logs coming in and the rex command only of the SPL range used which uses up less resources ?

Am i wrong thinking this way ? Can you explain me why ?

Thanks in advance!

0 Karma
1 Solution

Ultra Champion

see https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutfields

I think regex extraction(you say) is useful for searching. Default fields are not enough for search.
rex is useful. However, constant use consumes search time and makes it difficult to create SPL.

props.conf and transforms.conf are difficult to understand and make.
Let's learn them.

View solution in original post

Esteemed Legend

You can use the Field Extraction GUI tool in the Add Data Wizard and it is OK but like any Easy Button thing, you should also use it as a learning opportunity. The same thing with erex. Your SPL should never be saved anywhere with erex in it. Learn from it and switch to rex or better yet create an automatic Field Extraction. IMHO all of your stuff should be saved as automatic Field Extractions (as Transforms so that you can easily recycle them) against a sourcetype so that they are "just there" in every search. You can always turn them off by doing Fast Mode.

Ultra Champion

see https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutfields

I think regex extraction(you say) is useful for searching. Default fields are not enough for search.
rex is useful. However, constant use consumes search time and makes it difficult to create SPL.

props.conf and transforms.conf are difficult to understand and make.
Let's learn them.

View solution in original post

Path Finder

Great answer, thanks. All answers are obviously accepted!

0 Karma

Legend

Hi @gwcon,
for my knowledge, the real question is: do you need to use your field once or more times?
if you need to use the field once (in only one search), you can use rex command in SPL or create a field, it's the same thing; even if I prefer field extraction to have a leaner SPL code.
If instead you have to use the field extraction in more searches there's only one answer to the question: field extraction.

Ciao.
Giuseppe