Re: Extract fields in query or in config file

indeed_2000 · ‎12-20-2023

Hi

What is the different between Extract fields in query with rex or in config file.

Pros and cons?

how about performance?

Thanks,

gcusello · ‎12-20-2023

Hi @indeed_2000,

if you extract a field using the rex command you have this extraction only in the search,

if you have a field extraction (even if done with athe same regex) in conf file (that means save the regex as field extraction), you can use the field extractions in all searches (related to the permission of the knowledge object).

Ciao.

Giuseppe

indeed_2000 · ‎12-20-2023

@gcusello How about performance?

gcusello · ‎12-20-2023

Hi @indeed_2000 ,

exctly the same because the field exraction is performed at search time.

ciao.

Giuseppe

isoutamo · ‎12-20-2023

Hi

it’s probably same, but (at least in there) if you have lot of those in conf files then those could minimally slow down the execution time as those conf files load every time when you are executed a query. But unless you haven’t thousands of those it probably don’t mark anything.

r. Ismo

Extract fields in query or in config file

field extraction

regex

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation