Admin Manual

 


Indexing with Splunk

Index time versus search time

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Index time versus search time

Splunk documentation includes many references to the terms "index time" and "search time". These terms distinguish between the sorts of event data that are processed by Splunk during indexing, and other kinds of event data that are processed when a search is run.

It is important to consider this distinction when administering Splunk. For example, if you haven't yet started indexing data and you think you're going to have a lot of custom source types and hosts, you might want to get those in place before you start indexing. You can do this by defining custom source types and hosts (through rule-based source type assignment, source type overriding, input-based host assignment, and host overrides), so that these things are handled during the indexing process.

On the other hand, if you have already begun to index your data, you might want to handle the issue at search time. Otherwise, you will need to re-index your data, in order to apply the custom source types and hosts to your existing data as well as new data. After indexing, you can't change the host or source type assignments, but you can tag them with alternate values and manage the issue that way.

As a general rule, it is better to perform most knowledge-building activities, such as field extraction, at search time. Additional, custom field extraction, performed at index time, can degrade performance at both index time and search time. When you add to the number of fields extracted during indexing, the indexing process slows. Later, searches on the index are also slower, because the index has been enlarged by the additional fields, and a search on a larger index takes longer. You can avoid such performance issues by instead relying on search-time field extraction. For details on search-time field extraction, see "About fields" and "Create search-time field extractions" in the Knowledge Manager manual.

At index time

Index-time processes take place just before event data is actually indexed.

The following processes can occur during (or before) index time:

At search time

Search-time processes take place while a search is run, as events are collected by the search. The following processes occur at search time:

This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!