index time field extraction

grodaas · ‎08-30-2012

When I do index time field extraction will Splunk create a new separate index for the values in the extracted field ( For example a B-tree index) or will Splunk add key=value pairs as keywords to the existing full-text indexes found in the *.tsidx files?

lguinn2 · ‎09-03-2012

Splunk adds key-value pairs. Unless you have a very specific (and unusual) situation, index time field extraction will not improve performance. However, it is more complex, more error-prone and inflexible. This is why Splunk strongly encourages you to use search time field extractions. Index time field extraction is not faster - with very rare exceptions. Do not use it unless you must.

Splunk field extractions and Splunk indexing are not the same as relational database indexes. They are not remotely equivalent from a functional configuration perspective.

Did I say "don't use index time field extraction" often enough? I can say it again...

Also see this answer: Search-time versus index-time field extractions

index time field extraction

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

Join the Conversation

index time field extraction

Application management with Targeted Application Install for Victoria Experience

Index This | What goes up and never comes down?

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination