Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there any benefit to explicit field extraction vs letting splunk do it on it's own?

daniel333
Builder
‎10-19-2017 03:11 PM

All,

I have a soucetype that is quite complex. So I need to leave autoKV extractions on. In one of the logs there is a key value which is the line of an error. Literally line=1234. I see in props.conf a coworker explicitly is extracting line as line=(?\d*) . Is there any value to this? Given we have autoKV on, seems rather redundant.

I can imagine a situation where a user might be looking at a million of these records. So think there is value there?

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎10-19-2017 04:29 PM

If your KV setup of your data is done right, that will work just fine. By done right, I mean that the keys and values are done so that they work well. Examples of those that don't are keys with spaces in the names, and values that have spaces that aren't enclosed in quotes. Here is an example of what you don't want to see:

user name = John Smith

but this works fine:

username="John Smith"

Also, if you don't need all the fields extracted, but only a few of a large set, don't do the autoKV and have a simple, but efficient field extraction for better performance. The KV extraction that Splunk does is pretty efficient, if the KVs are done right. In your case of wanting a single value, and it is simply digits for the value, the efficiency is better with a specific field extraction, but even so you probably won't notice much difference with the autoKV on. If you need to eek out every bit of performance it will make a difference.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...