Splunk Search

Extract fields in query or in config file

indeed_2000
Motivator

Hi

What is the different between Extract fields in query with rex or in config file.

Pros and cons?

how about performance?

 

Thanks,

Labels (3)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @indeed_2000,

if you extract a field using the rex command you have this extraction only in the search,

if you have a field extraction (even if done with athe same regex) in conf file (that means save the regex as field extraction), you can use the field extractions in all searches (related to the permission of the knowledge object).

Ciao.

Giuseppe

indeed_2000
Motivator

@gcusello How about performance?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @indeed_2000 ,

exctly the same because the field exraction is performed at search time.

ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

it’s probably same, but (at least in there) if you have lot of those in conf files then those could minimally slow down the execution time as those conf files load every time when you are executed a query. But unless you haven’t thousands of those it probably don’t mark anything.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...