Splunk Mania

Field Extraction –
Index time Vs
Search time
(Which is better?) Swipe
 Splunk Mania

General Rule –
Index-time custom field extraction
can degrade performance

Search time Field extraction is

better.
Swipe
 Splunk Mania

Index time Search time

Take place between the point when the data is Take place while a search is run, as events are
consumed and the point when it is written to disk. collected by the search.

• Default field extraction (such as host, source,
sourcetype, and timestamp)
• Static or dynamic host assignment for specific inputs
• Default host assignment overrides
• Source type customization
• Custom index-time field extraction
• Structured data field extraction
• Event timestamping
• Event linebreaking
• Event segmentation (also happens at index
time)
• Event type matching
• Search-time field extraction (automatic and
custom field extractions, including multivalue
fields and calculated fields)
• Field aliasing
• Addition of fields from lookups
• Source type renaming

Swipe
• Event segmentation (also happens at search time) • Tagging
 Splunk Mania
How Index time extraction degrades
performance?
As a general rule, it is better to perform most knowledge-building
activities, such as field extraction, at search time. Index-time custom
field extraction can degrade performance at both index time and
search time. When you add to the number of fields extracted during
indexing, the indexing process slows. Later, searches on the index are
also slower, because the index has been enlarged by the additional
fields, and a search on a larger index takes longer. Swipe
 Splunk Mania

Next:
How Indexing works in Splunk?

Reference :
https://docs.splunk.com/Documentation/Splunk/8.2.2/Indexer/Indextimeversussearchtime