Splunk Search

Is there any benefit to explicit field extraction vs letting splunk do it on it's own?

daniel333
Builder

All,

I have a soucetype that is quite complex. So I need to leave autoKV extractions on. In one of the logs there is a key value which is the line of an error. Literally line=1234. I see in props.conf a coworker explicitly is extracting line as line=(?\d*) . Is there any value to this? Given we have autoKV on, seems rather redundant.

I can imagine a situation where a user might be looking at a million of these records. So think there is value there?

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

If your KV setup of your data is done right, that will work just fine. By done right, I mean that the keys and values are done so that they work well. Examples of those that don't are keys with spaces in the names, and values that have spaces that aren't enclosed in quotes. Here is an example of what you don't want to see:

user name = John Smith

but this works fine:

username="John Smith"

Also, if you don't need all the fields extracted, but only a few of a large set, don't do the autoKV and have a simple, but efficient field extraction for better performance. The KV extraction that Splunk does is pretty efficient, if the KVs are done right. In your case of wanting a single value, and it is simply digits for the value, the efficiency is better with a specific field extraction, but even so you probably won't notice much difference with the autoKV on. If you need to eek out every bit of performance it will make a difference.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...