Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there any benefit to explicit field extraction vs letting splunk do it on it's own?

daniel333
Builder
‎10-19-2017 03:11 PM

All,

I have a soucetype that is quite complex. So I need to leave autoKV extractions on. In one of the logs there is a key value which is the line of an error. Literally line=1234. I see in props.conf a coworker explicitly is extracting line as line=(?\d*) . Is there any value to this? Given we have autoKV on, seems rather redundant.

I can imagine a situation where a user might be looking at a million of these records. So think there is value there?

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎10-19-2017 04:29 PM

If your KV setup of your data is done right, that will work just fine. By done right, I mean that the keys and values are done so that they work well. Examples of those that don't are keys with spaces in the names, and values that have spaces that aren't enclosed in quotes. Here is an example of what you don't want to see:

user name = John Smith

but this works fine:

username="John Smith"

Also, if you don't need all the fields extracted, but only a few of a large set, don't do the autoKV and have a simple, but efficient field extraction for better performance. The KV extraction that Splunk does is pretty efficient, if the KVs are done right. In your case of wanting a single value, and it is simply digits for the value, the efficiency is better with a specific field extraction, but even so you probably won't notice much difference with the autoKV on. If you need to eek out every bit of performance it will make a difference.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...