I have an option to pick between JSON or XML data type to ingest to Splunk. However, i would like to find a way to proof which data type is more efficent when it comes to ingest time, way it looks ect.
I know that JSON might be more efficient, however i want to ingest each file and check how long did it take for that file to get ingested, parse etc. I know how to ingest data, but i don't know how to check how long it took to parse.
Please provide query or links.
Thank you in advance!
I'm using search and reporting app
JSON is auto key-valued by default as AUTO_KV_JSON is true by default, XML requires the XML mode to be set in the props.conf
Also XML tends to be larger for most use cases so I would use JSON, the difference will only be significant once you have larger events or start looking at a lot of events in a single search. I'm unsure if anyone has measured it...
If the JSON-style data is smaller than the XML-style data this will also reduce your index / license cost as well