Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: moving from indexed time _json to search time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are using a lot of indexed time _json sourcetypes on our heavy forwarder for file inputs and HTTP event collector.
Would it be recommended to move to search time field extraction ?
What would the steps be from the heavy forwarder to the search head cluster ?
gratzi
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Indexed Time extractions will increase the size of your tsidx files because Splunk will need to keep the structure fixed on those sourcetypes.
In general, Search Time is the recommended way for agility, freedom, manageability of future changes, correcting errors and improvements/evolution on what you want to get from your sourcetypes.
If you don't want INDEXED_EXTRACTIONS on your json, you just need to remove the INDEXED_EXTRACTIONS=JSON in your props.conf for the referred sourcetypes on the HF.
Then configure either partial extractions in the Search Head, under your sourcetype in props:
EXTRACT-global = "\"id: \"(?<id>[^\"]*)"
Or as @FrankVl mentions below , just get them all again with KV_MODE=json
For JSON, the INDEXED_EXTRACTIONS or KV_MODE=json are pretty useful, so I wouldn't suggest doing all this parsing by yourself here, unless you are only aiming to extract a very small contained portion of the full events
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Indexed Time extractions will increase the size of your tsidx files because Splunk will need to keep the structure fixed on those sourcetypes.
In general, Search Time is the recommended way for agility, freedom, manageability of future changes, correcting errors and improvements/evolution on what you want to get from your sourcetypes.
If you don't want INDEXED_EXTRACTIONS on your json, you just need to remove the INDEXED_EXTRACTIONS=JSON in your props.conf for the referred sourcetypes on the HF.
Then configure either partial extractions in the Search Head, under your sourcetype in props:
EXTRACT-global = "\"id: \"(?<id>[^\"]*)"
Or as @FrankVl mentions below , just get them all again with KV_MODE=json
For JSON, the INDEXED_EXTRACTIONS or KV_MODE=json are pretty useful, so I wouldn't suggest doing all this parsing by yourself here, unless you are only aiming to extract a very small contained portion of the full events
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No need to specify all the extractions like that right. You can also just set KV_MODE = json in your props.conf to enable automatic search time json extractions.
Just make sure you don't have both KV_MODE = json and INDEXED_EXTRACTIONS=JSON enabled, because then you get all field values twice.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes totally agree @FrankVl , KV_MODE = json get's you all of those fields on search time
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
