Re: Extract fields in query or in config file

indeed_2000 · ‎12-20-2023

Hi

What is the different between Extract fields in query with rex or in config file.

Pros and cons?

how about performance?

Thanks,

gcusello · ‎12-20-2023

Hi @indeed_2000,

if you extract a field using the rex command you have this extraction only in the search,

if you have a field extraction (even if done with athe same regex) in conf file (that means save the regex as field extraction), you can use the field extractions in all searches (related to the permission of the knowledge object).

Ciao.

Giuseppe

indeed_2000 · ‎12-20-2023

@gcusello How about performance?

gcusello · ‎12-20-2023

Hi @indeed_2000 ,

exctly the same because the field exraction is performed at search time.

ciao.

Giuseppe

isoutamo · ‎12-20-2023

Hi

it’s probably same, but (at least in there) if you have lot of those in conf files then those could minimally slow down the execution time as those conf files load every time when you are executed a query. But unless you haven’t thousands of those it probably don’t mark anything.

r. Ismo

Extract fields in query or in config file

field extraction

regex

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation