Dashboards & Visualizations

When using the search app, which is more efficient to ingest into Splunk: JSON or XML?

New Member

Hello,

I have an option to pick between JSON or XML data type to ingest to Splunk. However, i would like to find a way to proof which data type is more efficent when it comes to ingest time, way it looks ect.

I know that JSON might be more efficient, however i want to ingest each file and check how long did it take for that file to get ingested, parse etc. I know how to ingest data, but i don't know how to check how long it took to parse.

Please provide query or links.

Thank you in advance!

I'm using search and reporting app

0 Karma

SplunkTrust
SplunkTrust

JSON is auto key-valued by default as AUTO_KV_JSON is true by default, XML requires the XML mode to be set in the props.conf

Also XML tends to be larger for most use cases so I would use JSON, the difference will only be significant once you have larger events or start looking at a lot of events in a single search. I'm unsure if anyone has measured it...

If the JSON-style data is smaller than the XML-style data this will also reduce your index / license cost as well

0 Karma

New Member

Thank you! Is there a way to check how long did each file took to parse the data after ingestion ??
I'm trying to check that.

0 Karma

SplunkTrust
SplunkTrust

The metrics.log records some information around the CPU seconds spent parsing, but you would need an isolated environment to test in refer to troubleshooting, about metrics.log

If you were measuring search time you could use the job inspector

0 Karma