Hi Splunkers,
Need help on translating this search query to splunk configuration via props/transform.
To give some context, the letter field was extracted via csv.
"letter" field value is dynamic. It should have less/more value.
And the value is in the html tag format.
syntax: <p>"value"</p>
What would be the best practices in this scenario? Should I go with the method of search time or via index time?
Sample query:
| makeresults
| eval letter = "<p>A</p><p>B</p><p>C</p><p>D</p>"
| eval letter = replace(letter,"<p>","")
| eval letter = replace(letter,"</p>","__")
| makemv delim="__" letter
Expected output:
letter
A
B
C
D
Hi @kelz,
I think that you are making a little of confusion and I have some problem to understand your question: it seems that there are two topics in your search:
About the second topicx, the difference of a field extraction at index time or at search time is that you require more work to your Indexers one time (index time) but less when a search is executed than running an extraction at search time.
The choice depends on how many times an extrcation is used by the users and you pay this index time extraction in disk space (very few) and work for the Indexers.
So if your Indexers have to index many logs it isn't a good idea to give them more work.
About the first question, could you share a sample of your logs and better describe your need?
Ciao.
Giuseppe
Hello Giuseppe,
With regards to this topic you've listed "how to extract logs from html" i already did it with the sample query I provided via search time.
I'm just curious what would be the best approach/practices in extracting some data in the given scenario.
Appreciate your response, it gives me more clarity about what approach I need to use for that . I'll be using search time field extraction then, since only a few data is in the CSV file.
Thanks again!
Hi @kelz,
you can find many topics in the Community about this choose: index or search time.
As i said it depends on many factors: mainly logs volume and number of searches.
usually the main use is at search time, but it's also possible to analyze and apply some situation.
It must be knows that extraction at index time requires more work for the Indexers or (if present) to Heavy Forwarders and more disk space.
If my answer solves your need, please accept it for the other people of Community, or tell me how can I help you more.
Ciao.
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi @kelz,
I think that you are making a little of confusion and I have some problem to understand your question: it seems that there are two topics in your search:
About the second topicx, the difference of a field extraction at index time or at search time is that you require more work to your Indexers one time (index time) but less when a search is executed than running an extraction at search time.
The choice depends on how many times an extrcation is used by the users and you pay this index time extraction in disk space (very few) and work for the Indexers.
So if your Indexers have to index many logs it isn't a good idea to give them more work.
About the first question, could you share a sample of your logs and better describe your need?
Ciao.
Giuseppe