Getting Data In

Search time or Index time- What would be the best practices in this scenario?

kelz
Explorer

Hi Splunkers,

Need help on translating this search query to splunk configuration via props/transform.

To give some context, the letter field was extracted via csv.

"letter" field value is dynamic. It should have less/more value.

And the value is in the html tag format.

syntax: <p>"value"</p>

What would be the best practices in this scenario? Should I go with the method of search time or via index time?

Sample query:

| makeresults
| eval letter = "<p>A</p><p>B</p><p>C</p><p>D</p>"
| eval letter = replace(letter,"<p>","")
| eval letter = replace(letter,"</p>","__")
| makemv delim="__" letter

Expected output:

letter
A
B
C
D

Labels (4)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @kelz,

I think that you are making a little of confusion and I have some problem to understand your question: it seems that there are two topics in your search:

  • how to extract logs from html,
  • index time or search time fields extraction.

About the second topicx, the difference of a field extraction at index time or at search time is that you require more work to your Indexers one time (index time) but less when a search is executed than running an extraction at search time.

The choice depends on how many times an extrcation is used by the users and you pay this index time extraction in disk space (very few) and work for the Indexers.

So if your Indexers have to index many logs it isn't a good idea to give them more work.

About the first question, could you share a sample of your logs and better describe your need?

Ciao.

Giuseppe

View solution in original post

kelz
Explorer

Hello Giuseppe,

With regards to this topic you've listed "how to extract logs from html" i already did it with the sample query I provided via search time.

I'm just curious what would be the best approach/practices in extracting some data in the given scenario.

Appreciate your response, it gives me more clarity about what approach I need to use for that . I'll be using search time field extraction then, since only a few data is in the CSV file.


Thanks again!



0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @kelz,

you can find many topics in the Community about this choose: index or search time.

As i said it depends on many factors: mainly logs volume and number of searches.

usually the main use is at search time, but it's also possible to analyze and apply some situation.

It must be knows that extraction at index time requires more work for the Indexers or (if present) to Heavy Forwarders and more disk space.

If my answer solves your need, please accept it for the other people of Community, or tell me how can I help you more.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @kelz,

I think that you are making a little of confusion and I have some problem to understand your question: it seems that there are two topics in your search:

  • how to extract logs from html,
  • index time or search time fields extraction.

About the second topicx, the difference of a field extraction at index time or at search time is that you require more work to your Indexers one time (index time) but less when a search is executed than running an extraction at search time.

The choice depends on how many times an extrcation is used by the users and you pay this index time extraction in disk space (very few) and work for the Indexers.

So if your Indexers have to index many logs it isn't a good idea to give them more work.

About the first question, could you share a sample of your logs and better describe your need?

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...