index time field extraction

grodaas · ‎08-30-2012

When I do index time field extraction will Splunk create a new separate index for the values in the extracted field ( For example a B-tree index) or will Splunk add key=value pairs as keywords to the existing full-text indexes found in the *.tsidx files?

lguinn2 · ‎09-03-2012

Splunk adds key-value pairs. Unless you have a very specific (and unusual) situation, index time field extraction will not improve performance. However, it is more complex, more error-prone and inflexible. This is why Splunk strongly encourages you to use search time field extractions. Index time field extraction is not faster - with very rare exceptions. Do not use it unless you must.

Splunk field extractions and Splunk indexing are not the same as relational database indexes. They are not remotely equivalent from a functional configuration perspective.

Did I say "don't use index time field extraction" often enough? I can say it again...

Also see this answer: Search-time versus index-time field extractions

index time field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation

index time field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability