I have an option to pick between JSON or XML data type to ingest to Splunk. However, i would like to find a way to proof which data type is more efficent when it comes to ingest time, way it looks ect.
I know that JSON might be more efficient, however i want to ingest each file and check how long did it take for that file to get ingested, parse etc. I know how to ingest data, but i don't know how to check how long it took to parse.
Please provide query or links.
Thank you in advance!
I'm using search and reporting app
JSON is auto key-valued by default as AUTOKVJSON is true by default, XML requires the XML mode to be set in the props.conf
Also XML tends to be larger for most use cases so I would use JSON, the difference will only be significant once you have larger events or start looking at a lot of events in a single search. I'm unsure if anyone has measured it...
If the JSON-style data is smaller than the XML-style data this will also reduce your index / license cost as well
Thank you! Is there a way to check how long did each file took to parse the data after ingestion ??
I'm trying to check that.