Documentation > Splunk > Knowledge Manager Manual > Index time versus search time

Knowledge Manager Manual

 


Welcome
When you first deploy Splunk
Understand events
Work with fields
Work with hosts
Work with source types
Manage event types
Define tags and aliases
Group events into transactions
Manage saved searches and search jobs
Configure summary indexes

Index time versus search time

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Index time versus search time

You may notice that Splunk documentation includes many references to the terms index time and search time. These terms are used to distinguish between the sorts of event data that are processed by Splunk during indexing, and other kinds of event data that are processed when a search is run.

It is important to consider this distinction when administering Splunk. For example, if you haven't yet started indexing data and you think you're going to have a lot of custom source types and hosts, you might want to get those in place before you start indexing. You can do this by defining custom source types and hosts (through rule-based source type assignation, source type overriding, input-based host assignment, and host overrides), so that these things are handled during the indexing process.

On the other hand, if you have already begun to index your data, you might want to handle the issue at search time. Otherwise, you will need to re-index your data, in order to apply the custom source types and hosts to your existing data as well as new data. After indexing, you can't change the host or source type assignments, but you can tag them with alternate values and manage the issue that way.

As a general rule, it is better to perform most knowledge-building activities, such as field extraction, at search time. Additional, custom field extraction, performed at index time, can degrade performance at both index and search time. When you add to the number of fields extracted during indexing, the indexing process slows. Later, searches on the index are also slower, because the index has been enlarged by the additional fields, and a search on a larger index takes longer. You can avoid such performance issues by instead relying on search-time field extraction. For details, see "Add fields at search time" in this manual.

At index time

Index time processes take place just before event data is actually indexed.

The following processes occur during (or before) index time:


At search time

Search time processes take place after a search is run, as events are collected by the search. The following processes occur at search time:

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0.7/Knowledge/Indextimeversussearchtime"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!