Hi all,
First, I do apologise if this is clearly answered in Answers or Documentation; I have spent some time in both, and have still to find an answer.
Second, I am very new to Splunk. In fact, this question comes directly from Fundamentals One; a throw-away comment in Module 8, to be specific.
And so, my question: on the subject of search performance, and field extraction in particular, the instructor states that field inclusion can provide a boost, as it occurs before field extraction; he then goes on to say that field exclusion offers no such benefit, as it occurs after field extraction.
I'm trying to wrap my head around why this is the case; that is, why field exclusion differs so markedly from field inclusion, in terms of what Splunk knows about the entire search at the point of field extraction.
Thanks! And apologies for any stumbles re lexicon/vocabulary.
John
... View more