Splunk spath vs plain search performance

Question

Assuming that I have json logs formatted like

{
    level: INFO,
    logger: com.mantkowicz.test.TestLogger,
    message: Just a simple test log message
}

what is the difference between such two searches:

A) ... | message = "Just a simple test log message"
B) ... | spath message | search message = "Just a simple test log message"

Is there any performance drawback? Should I prefer one of these?

score 1 · Answer 1 · answered Jul 02 '20 at 11:18

1

You should probably go with the first approach and remove the need for spath.

Depending on your use case, you could also look at JSON indexed extractions, KV_MODE=json which can do the field extractions at index time, rather than every search.

answered Jul 02 '20 at 11:18

Simon Duff

2,631
2
7
15

score 1 · Answer 2 · answered Jul 02 '20 at 13:50

1

You may find that search A doesn't work if there is no 'message' field extracted. In that case, you'll need search B or extract fields at index-time as @Simon Duff suggested.

answered Jul 02 '20 at 13:50

RichG

9,063
2
18
29

Splunk spath vs plain search performance

2 Answers2