Monitoring Splunk

Performance difference between using SEDCMD and older REGEX/TRANSFORMS method

DrewO
Splunk Employee
Splunk Employee

Is there a performance difference between using the SEDCMD syntax in just props.conf versus using the older method which uses TRANSFORMS and calls a stanza in transforms.conf using REGEX?

Tags (2)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

For the particular case of s/one/two/ vs ^(.*?)one(.*)$ -> $1two$2, the former is possibly very slightly faster, but differences in the efficiencies of the regex used (e.g., using (.*?) vs (.*)) would probably enormously outweigh that. Note that it's actually not possible to use s/one/two/g (i.e., with the g flag) to replace multiple occurrences with TRANSFORMS.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

For the particular case of s/one/two/ vs ^(.*?)one(.*)$ -> $1two$2, the former is possibly very slightly faster, but differences in the efficiencies of the regex used (e.g., using (.*?) vs (.*)) would probably enormously outweigh that. Note that it's actually not possible to use s/one/two/g (i.e., with the g flag) to replace multiple occurrences with TRANSFORMS.

DrewO
Splunk Employee
Splunk Employee

@Lowell yes that's what the student wanted to know. For one off replacements, like overwriting a credit card number/account code.

0 Karma

Lowell
Super Champion

Just to be clear, the SEDCMD and TRANSFORMS index-time transformations are not exact drop-in replacements for each other. For example, SEDCMD character substitution (like y/ABC/abc/), and repeating replacements (like s/eggs/spam/g) are things that can only be done using SEDCMD, but SEDCMD is limited to only modifying the _raw field. So in your question, I'm assuming that your are specifically asking about where these two approaches overlap (a single replace operation on the _raw field.) If this is incorrect, please update your question.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...