Is there any benefit to explicit field extraction ...

daniel333 · ‎10-19-2017

All,

I have a soucetype that is quite complex. So I need to leave autoKV extractions on. In one of the logs there is a key value which is the line of an error. Literally line=1234. I see in props.conf a coworker explicitly is extracting line as line=(?\d*) . Is there any value to this? Given we have autoKV on, seems rather redundant.

I can imagine a situation where a user might be looking at a million of these records. So think there is value there?

cpetterborg · ‎10-19-2017

If your KV setup of your data is done right, that will work just fine. By done right, I mean that the keys and values are done so that they work well. Examples of those that don't are keys with spaces in the names, and values that have spaces that aren't enclosed in quotes. Here is an example of what you don't want to see:

user name = John Smith

but this works fine:

username="John Smith"

Also, if you don't need all the fields extracted, but only a few of a large set, don't do the autoKV and have a simple, but efficient field extraction for better performance. The KV extraction that Splunk does is pretty efficient, if the KVs are done right. In your case of wanting a single value, and it is simply digits for the value, the efficiency is better with a specific field extraction, but even so you probably won't notice much difference with the autoKV on. If you need to eek out every bit of performance it will make a difference.

Is there any benefit to explicit field extraction vs letting splunk do it on it's own?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!