Sorry, I'm not sure to get it: "Splunk doesn't index fields as indexed fields, unless they are explicitly extracted as indexed fields" How is it possible with splunk cloud? if I understand well, wit...
See more...
Sorry, I'm not sure to get it: "Splunk doesn't index fields as indexed fields, unless they are explicitly extracted as indexed fields" How is it possible with splunk cloud? if I understand well, with kv_mode=json, event if our logs are json formatted, I will have to extract one by one all fields I need, using the field extractions feature. The fields will be then extracted at search time, and not indexed. Right? Then, wouldn't be there a risk on the search performance, if all fields are extracted at search time? Also, the usage of tstat will need to be reviewed for all our saved searches/dashboards...etc. Am I right? Thanks BR Nordine