Hey guys,
So I am looking at index'd time extraction as a possibly helping with my search time field extraction troubles. Any idea how I might measure this?
Background:
We process about ~1billion events a day in our Splunk instance. The first 4 characters of hostnames on our servers is our datacenterID. The field extraction is therefore running.. 10's of millions of times in any search.
1) This isn't going to change
2) We're using this field in hundreds of searches already
How would I know if this would help or not?
↧