Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Performance of EXTRACT- vs REPORT- for same regex

Jason
Motivator
‎01-24-2011 11:39 PM

Is there any difference in performance when using 

props.conf
EXTRACT-name1 = long (?<field1>regex) with lots of (?<field2>capture groups)

versus

props.conf
REPORT-name2 = transform_name

transforms.conf
[transform_name]
REGEX = long (regex) with lots of (capture groups)
FORMAT = field1::$1 field2::$2

?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎01-25-2011 01:08 AM

Since they are both extracted by the same regex processor at search time, my educated guess would be no.

Due to tradition, style, and readability, I personally tend to use the transforms.conf specification.

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎01-25-2011 01:08 AM

Since they are both extracted by the same regex processor at search time, my educated guess would be no.

Due to tradition, style, and readability, I personally tend to use the transforms.conf specification.

View solution in original post

Reply
Solved! Jump to solution

Jason
Motivator
‎01-25-2011 06:01 PM

REPORT also allows you to apply the same regex easily to multiple data types without having multiple copies of the regex around - another reason why I use it.

Reply
Solved! Jump to solution

Jason
Motivator
‎01-25-2011 04:30 PM

Thanks - so do I. But I was working up a regex on the search bar with rex yesterday and tossed it right in an EXTRACT - so I was wondering.

0 Karma
Reply
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Get Updates on the Splunk Community!