Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Field extractions

spulivarthi700
Loves-to-Learn
‎03-31-2026 10:46 AM

Hey team,
If we want to reduce pressure on our Splunk indexers and our data is routing through Cribl, what does Splunk recommend?
Should all field extractions happen at the Cribl level before data reaches the indexers for any type of data, so the indexers don't need to do any parsing work?
What's the actual Splunk recommendation here ?

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-01-2026 12:58 AM

With Splunk most extractions happen at search time. You can use indexed fields but it's not a recommended good practice. There are some specific use cases when indexed fields are OK but generally you should rather focus on fixing your searches.

And I suspect what you're trying to do is solve a completely different problem than the one you have - you're trying to change your "data infrastructure" while the system load issue is most probably caused by badly written searches (and possibly not properly managed users' workload).

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-31-2026 11:39 PM

Hi @spulivarthi700 ,

the most field extractions are at search time, so the pressure is on Search Heads, not Indexers.

Anyway, in general, you can reduce jobs on Indexers, using one or more intermediate Heavy Forwarders that will parse your data, instead indexers.

but the question is: which Add-On are you using to parse cribl data?

because if you're using the Cribl Decrypt Add-On for Splunk, it hasn't any parsing rule.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

How Edge Processor's Durable Queue Works

Edge Processor sits in one of the most consequential places in any Splunk pipeline: between your data sources ...