Getting Data In

Inline field extracted vs Transformation?

cmeyers
Explorer

I am walking through the Cisco app and I noticed that there are a lot different ways fields are being extracted. It looks like there are many inline extractions and others referencing a transform, all in the props.conf, (EXTRACT vs REPORT). I have seen bits and pieces on what is the difference is between the two methods, but it still is unclear to me.

My question is, what are the pros and cons of doing an inline EXTRACT versus doing a transformation and reference it with a REPORT in the props. conf, and vice versa.

1 Solution

woodcock
Esteemed Legend

They are the same except that EXTRACT is inlined so only exists in props.conf whereas REPORT is 2-part with half in props.conf and the other half in transforms.conf. If later extractions depend on other extractions, you should definitely use REPORT so that you can clearly control which ones happen first. Also, if you have the same extractions for multiple sourcetypes, it is easier to have a single copy in transforms.conf so that any changes/fixes to it are done on 1 line in 1 file instead of on multiple lines in multiple files. Honestly, EXTRACT is lazy; I always do REPORT; I cannot think of any real advantage to EXTRACT.

View solution in original post

woodcock
Esteemed Legend

They are the same except that EXTRACT is inlined so only exists in props.conf whereas REPORT is 2-part with half in props.conf and the other half in transforms.conf. If later extractions depend on other extractions, you should definitely use REPORT so that you can clearly control which ones happen first. Also, if you have the same extractions for multiple sourcetypes, it is easier to have a single copy in transforms.conf so that any changes/fixes to it are done on 1 line in 1 file instead of on multiple lines in multiple files. Honestly, EXTRACT is lazy; I always do REPORT; I cannot think of any real advantage to EXTRACT.

rita201
Loves-to-Learn

Please in better understanding, what is the actual difference between prof.conf and transforms.conf file?

0 Karma

woodcock
Esteemed Legend

I never heard of prof.conf but in any case, you should ask your own new question.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...