m.antkowicz
Reputation: 13581
Splunk spath vs plain search performance
Assuming that I have json logs formatted like
{
level: INFO,
logger: com.mantkowicz.test.TestLogger,
message: Just a simple test log message
}
what is the difference between such two searches:
A) ... | message = "Just a simple test log message"
B) ... | spath message | search message = "Just a simple test log message"
Is there any performance drawback? Should I prefer one of these?
Upvotes: 4
Views: 1713
Answers (2)
RichG
Reputation: 9976
You may find that search A doesn't work if there is no 'message' field extracted. In that case, you'll need search B or extract fields at index-time as @Simon Duff suggested.
Upvotes: 1
Simon Duff
Reputation: 2651
You should probably go with the first approach and remove the need for spath.
Depending on your use case, you could also look at JSON indexed extractions, KV_MODE=json which can do the field extractions at index time, rather than every search.
Upvotes: 1
Related Questions
- Reading a field from a JSON log in Splunk using SPATH
- splunk : json spath extract
- Splunk : Spath searching the JSON array
- Splunk search the key in json
- Data Analysis in Splunk
- Splunk: indexes and metrics
- Filtering with regex vs json
- Java Splunk Best Logging Format
- Splunk Indexing Benchmark
- Splunk Custom Log format Parsing