Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Performance of EXTRACT- vs REPORT- for same regex

Jason
Motivator
‎01-24-2011 11:39 PM

Is there any difference in performance when using 

props.conf
EXTRACT-name1 = long (?<field1>regex) with lots of (?<field2>capture groups)

versus

props.conf
REPORT-name2 = transform_name

transforms.conf
[transform_name]
REGEX = long (regex) with lots of (capture groups)
FORMAT = field1::$1 field2::$2

?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎01-25-2011 01:08 AM

Since they are both extracted by the same regex processor at search time, my educated guess would be no.

Due to tradition, style, and readability, I personally tend to use the transforms.conf specification.

View solution in original post

Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎01-25-2011 01:08 AM

Since they are both extracted by the same regex processor at search time, my educated guess would be no.

Due to tradition, style, and readability, I personally tend to use the transforms.conf specification.

Reply
Solved! Jump to solution

Jason
Motivator
‎01-25-2011 06:01 PM

REPORT also allows you to apply the same regex easily to multiple data types without having multiple copies of the regex around - another reason why I use it.

Reply
Solved! Jump to solution

Jason
Motivator
‎01-25-2011 04:30 PM

Thanks - so do I. But I was working up a regex on the search bar with rex yesterday and tossed it right in an EXTRACT - so I was wondering.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...