Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Field extractions

spulivarthi700
Loves-to-Learn
‎03-31-2026 10:46 AM

Hey team,
If we want to reduce pressure on our Splunk indexers and our data is routing through Cribl, what does Splunk recommend?
Should all field extractions happen at the Cribl level before data reaches the indexers for any type of data, so the indexers don't need to do any parsing work?
What's the actual Splunk recommendation here ?

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-01-2026 12:58 AM

With Splunk most extractions happen at search time. You can use indexed fields but it's not a recommended good practice. There are some specific use cases when indexed fields are OK but generally you should rather focus on fixing your searches.

And I suspect what you're trying to do is solve a completely different problem than the one you have - you're trying to change your "data infrastructure" while the system load issue is most probably caused by badly written searches (and possibly not properly managed users' workload).

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-31-2026 11:39 PM

Hi @spulivarthi700 ,

the most field extractions are at search time, so the pressure is on Search Heads, not Indexers.

Anyway, in general, you can reduce jobs on Indexers, using one or more intermediate Heavy Forwarders that will parse your data, instead indexers.

but the question is: which Add-On are you using to parse cribl data?

because if you're using the Cribl Decrypt Add-On for Splunk, it hasn't any parsing rule.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...