Databases Reference
In-Depth Information
The second section controls what roles can read or write this configuration. The usual
selections are the
Read
option for the
Everyone
parameter and the
Write
option for
the
admin
parameter. As you build objects going forward, you will become very
familiar with this dialog.
Indexed fields versus extracted fields
When an event is written to an index, the raw text of the event is captured along with
a set of indexed fields. The default indexed fields include
host
,
sourcetype
,
source
,
and
_time
. There are distinct advantages and a few serious disadvantages to using
indexed fields.
First, let's look at the advantages of an indexed field (we will actually discuss
configuring indexed fields in
Chapter 10
,
Configuring Splunk
):
• As an indexed field is stored in the index with the
event itself, it is
only calculated at index time, and in fact, can only be calculated once
at index time.
• It can make finding specific instances of common terms efficient.
See use case 1 in the following section, as an example.
• You can create new words to search against that simply don't exist
in the raw text or are embedded inside a word. See use cases 2-4 in
the following sections.
• You can efficiently search for words in other indexed fields. See the
Indexed field case 3 - application from source
section.
Now for the disadvantages of an indexed field:
• It is not retroactive. This is different from extracted fields, where all events,
past and present, will gain the newly defined field if the pattern matches.
This is the biggest disadvantage of indexed fields and has a few implications,
as follows:
° Only newly indexed events will gain a newly defined indexed field
° If the pattern is wrong in certain cases, there is no practical way to
apply the field to already indexed events
° Likewise, if the log format changes, the indexed field may not be
generated (or generated incorrectly)
• It adds to the size of your index on disk.
• It counts against your license.
Search WWH ::
Custom Search