I am walking through the Cisco app and I noticed that there are a lot different ways fields are being extracted. It looks like there are many inline extractions and others referencing a transform, all in the props.conf, (EXTRACT vs REPORT). I have seen bits and pieces on what is the difference is between the two methods, but it still is unclear to me.
My question is, what are the pros and cons of doing an inline EXTRACT versus doing a transformation and reference it with a REPORT in the props. conf, and vice versa.
They are the same except that
EXTRACT is inlined so only exists in
REPORT is 2-part with half in
props.conf and the other half in
transforms.conf. If later extractions depend on other extractions, you should definitely use
REPORT so that you can clearly control which ones happen first. Also, if you have the same extractions for multiple sourcetypes, it is easier to have a single copy in
transforms.conf so that any changes/fixes to it are done on 1 line in 1 file instead of on multiple lines in multiple files. Honestly,
EXTRACT is lazy; I always do
REPORT; I cannot think of any real advantage to