Getting Data In

Field extractions

spulivarthi700
Loves-to-Learn

Hey team,
If we want to reduce pressure on our Splunk indexers and our data is routing through Cribl, what does Splunk recommend?
Should all field extractions happen at the Cribl level before data reaches the indexers for any type of data, so the indexers don't need to do any parsing work?
What's the actual Splunk recommendation here ?

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

With Splunk most extractions happen at search time. You can use indexed fields but it's not a recommended good practice. There are some specific use cases when indexed fields are OK but generally you should rather focus on fixing your searches.

And I suspect what you're trying to do is solve a completely different problem than the one you have - you're trying to change your "data infrastructure" while the system load issue is most probably caused by badly written searches (and possibly not properly managed users' workload).

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @spulivarthi700 ,

the most field extractions are at search time, so the pressure is on Search Heads, not Indexers.

Anyway, in general, you can reduce jobs on Indexers, using one or more intermediate Heavy Forwarders that will parse your data, instead indexers.

but the question is: which Add-On are you using to parse cribl data?

because if you're using the Cribl Decrypt Add-On for Splunk, it hasn't any parsing rule.

Ciao.

Giuseppe

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...