Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

log with key value pair or transforms.conf performance diffrence?

jazzythemartian
New Member
‎10-08-2013 01:25 AM

Hi,

to gain index size I made the log format as below. I didn't use key value pair.

20121101095842|192.168.1.2|KRQQQShcnQdRK8pLKTXC|20138494756382|I|PLAY|this the detailed info|1

And in transforms.conf I defined the fields.
DELIMS="|"
FIELDS=time,sourceip,session_id,customer_id,channel,op_type,detail,result_code

What if I made the log format like;

time=20121101095842,sourceip=192.168.1.2,sessiın_id=KRQQQShcnQdRK8pLKTXC,customer_id=20138494756382,channel=I, op_type=PLAY, detail=this the detailed info|result_code=1

Is there any performance diffrence between these two? a big diffrence in speed?

thanks,

a.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎10-08-2013 01:36 AM

Well, as you've probably calculated, you'll save some license space - in this case like 40%. I cannot see any immediate downside to the approach - as long as you keep the number and order of fields constant. With key=value pairs, that is not relevant, as the extraction takes place automatically.

You should probably set KV_MODE=none for this sourcetype in props.conf.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

Whether a REPORT is faster than KV_MODE=auto... I don't know - perhaps a little.

/K

0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎10-08-2013 07:00 AM

I agree with your gut.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎10-08-2013 06:34 AM

Naturally - having both is the worst 🙂

Gut feeling says that REPORT + KV_MODE=none should be faster than KV_MODE=auto. Should be fewer, less complicated steps. Though for some searches the difference might not be even noticeable.

Reply

sowings
Splunk Employee
Splunk Employee
‎10-08-2013 06:04 AM

REPORT with DELIMS is definitely faster if you turn off KV_MODE=auto for that type. 🙂 I'm not sure if "properly configured" REPORT with DELIMS alone is faster than key=value pairs, however.

0 Karma
Reply
Get Updates on the Splunk Community!

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...

What’s New in Splunk Observability Cloud: January Feature Highlights & Deep Dives

Splunk Observability Cloud continues to evolve, empowering engineering and operations teams with advanced ...