Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field Extraction for different types of data

PramodhKumar
Explorer
‎03-08-2020 04:29 AM

Hi Splunkers,

Splunk suggests to extract fields at forwarders for structured data, why? and what if i have field names in the log / no filed field names in the log?

I have a confusion that whether my license usage get affected by structured field extraction at index time/ at forwarders.
I understand that splunk license counts against what you index , so if i do indexed field extractions then those field value pairs will be added to _raw and cause license usage, is that correct?

For unstructured data Splunk suggests us to do extraction at search time?.

I'm clear with these but sometimes not,.

any advises will be appreciated..

Pramodh B

0 Karma
Reply

valishaik
New Member
‎03-08-2020 10:47 AM

what is the splunk DB connetion?

0 Karma
Reply

manjunathmeti
Champion
‎03-08-2020 07:41 AM

  1. Field extraction settings for structured data must be configured on the forwarder.

  2. If structured data has fields then those are automatically extracted. If not then FIELD_NAMES attribute can be configured in props.conf to set field names.

  3. For structured data all the fields in data are extracted during index time only.

  4. For unstructured data it's better to extract data during search time as Splunk doc says:

####Index-time custom field extraction can degrade performance at both index time and search time. When you add to the number of fields extracted during indexing, the indexing process slows. Later, searches on the index are also slower, because the index has been enlarged by the additional fields, and a search on a larger index takes longer. You can avoid such performance issues by instead relying on search-time field extraction.

Reply

PramodhKumar
Explorer
‎03-08-2020 08:42 AM

Thank you,

I appreciate your efforts here.

  1. why splunk suggests to extarct fields at search time, is this same for structured/unstructured?
  2. What if I do extraction during index-time for unstructured data? license usage?
  3. I didn't understand, this in comparison to your 1st point.
  4. This is clear.

Pramodh

0 Karma
Reply

manjunathmeti
Champion
‎03-08-2020 09:16 AM
  1. Refer point 4. This is same for both structured and unstructured.
  2. License is measured based on the amount of raw data that the indexer ingests into its indexing pipeline. Basically it is counted against _raw data.
  3. Actually parsing , merging and typing for structured data happens in forwarder only and indexing happens in indexer server.
0 Karma
Reply

woodcock
Esteemed Legend
‎03-08-2020 07:26 AM

It has nothing to do with license because you are metered for that with length of _raw in bytes.

First, that guidance is overly-smplistic to the point of being fallacious; please post a followup comment here with the URL where you read that so that I can submit some feedback.

The MAIN reason that this advice is wrong is because it will lead people to the very bad and generally WRONG decision to use Heavy Forwarders (which can do every kind of index-time field extractions) instead of Universal Forwarders: https://www.splunk.com/en_us/blog/tips-and-tricks/universal-or-heavy-that-is-the-question.html

Another reason it is wrong is because index-time field extractions consume a significant amount of disk space, often for no actual benefit (nobody is tstatsing them).

Also, the only sensible way to do index-time field extractions on a Universal Forwarder is with INDEXED_EXTRACTIONS which should generally be avoided because it is "all or none".

The only shred of this advice that is true is the universal distributed architecture rule that, all other considerations being equal (note my previously voiced inequalities above) as much as possible should be done at the leaves of the tree.

Reply

PramodhKumar
Explorer
‎03-08-2020 08:37 AM

Thank you,

All your suggestions are good, I really appreciate your effort.

My question is what does INDEXED_EXTRACTIONS do at UF, lets say I have a csv file having 20 lines, no field names.
I did INDEXED_EXTRACTIONS at UF now what exactly my forwarder sends to Indexer? That's all...

My doubt is if UF forwards _raw + new field vales then while passing throgh index pipeline, does it counts all?

There are 4 pipelines - Parsing-Mergine-Typing-Index , license metered at last pipeline, is that correct when data being written to disk?

Can you please elaborate on precedence of props attributes vs license meter.

Pramodh

0 Karma
Reply

woodcock
Esteemed Legend
‎03-08-2020 10:14 AM

There is no impact on license, only disk and CPU.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...