Dashboards & Visualizations

When using the search app, which is more efficient to ingest into Splunk: JSON or XML?

maryamchar
Explorer

Hello,

I have an option to pick between JSON or XML data type to ingest to Splunk. However, i would like to find a way to proof which data type is more efficent when it comes to ingest time, way it looks ect.

I know that JSON might be more efficient, however i want to ingest each file and check how long did it take for that file to get ingested, parse etc. I know how to ingest data, but i don't know how to check how long it took to parse.

Please provide query or links.

Thank you in advance!

I'm using search and reporting app

0 Karma

gjanders
SplunkTrust
SplunkTrust

JSON is auto key-valued by default as AUTO_KV_JSON is true by default, XML requires the XML mode to be set in the props.conf

Also XML tends to be larger for most use cases so I would use JSON, the difference will only be significant once you have larger events or start looking at a lot of events in a single search. I'm unsure if anyone has measured it...

If the JSON-style data is smaller than the XML-style data this will also reduce your index / license cost as well

0 Karma

maryamchar
Explorer

Thank you! Is there a way to check how long did each file took to parse the data after ingestion ??
I'm trying to check that.

0 Karma

gjanders
SplunkTrust
SplunkTrust

The metrics.log records some information around the CPU seconds spent parsing, but you would need an isolated environment to test in refer to troubleshooting, about metrics.log

If you were measuring search time you could use the job inspector

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...