Solved: Re: Is INDEXED_EXTRACTIONS = json expensive on the...

ddrillic · ‎09-11-2018

In What are the requirements for a perfect Splunk JSON document?

We spoke about -

INDEXED_EXTRACTIONS = json
category = Structured

Is INDEXED_EXTRACTIONS = json expensive on the indexer? because I'm being told that we should avoid it due to the load it puts on the indexer...

sudosplunk · ‎09-11-2018

Hi @ddrillic,

In short yes. Please have a look at this article. This guy did some good case study comparing index-time vs search-time extractions.

https://www.hurricanelabs.com/blog/splunk-case-study-indexed-extractions-vs-search-time-extractions

HTH!

View solution in original post

sudosplunk · ‎09-11-2018

Hi @ddrillic,

In short yes. Please have a look at this article. This guy did some good case study comparing index-time vs search-time extractions.

https://www.hurricanelabs.com/blog/splunk-case-study-indexed-extractions-vs-search-time-extractions

HTH!

ddrillic · ‎09-11-2018

Very interesting @nittala_surya.

I guess they are saying that -
KV_MODE=JSON on the search heads is equivalent to
INDEXED_EXTRACTIONS=JSON on the indexer side

And the overhead on the SHs is lighter.

Is it right?

sudosplunk · ‎09-11-2018

Absolutely.

ddrillic · ‎09-12-2018

Speaking with the sales engineer who explained that in certain cases it can be expensive and in certain cases not. He also said that in case the json document is not valid we can lose data as only the name value pairs are retained and not the raw data. KV_MODE = JSON on the SH and the indexer marks the data as json.

Is INDEXED_EXTRACTIONS = json expensive on the indexer?

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application