issues
search
ChrisForsythe
/
SplunkStuff
A repository for generalized splunk code, dashboards, resources and suggestions/recommendations.
30
stars
4
forks
source link
Indexed vs search time
#19
Closed
mmccul
closed
2 years ago
mmccul
commented
3 years ago
Document when does indexed field extractions help.
If you search for a key/value pair where the value is not found in other strings (mykey=fancystringvalue): No benefit
If you search for a value plain as a quoted string without a field ("valuehere"): No benefit
If you search for a key/value pair where the value is commonly found in multiple keys (mykey=1): Benefit
Document when does indexed field extractions help.