Index time versus search time
Splunk documentation includes many references to the terms "index time" and "search time". These terms distinguish between the sorts of event data that are processed by Splunk during indexing, and other kinds of event data that are processed when a search is run.
It is important to consider this distinction when administering Splunk. For example, if you haven't yet started indexing data and you think you're going to have a lot of custom source types and hosts, you might want to get those in place before you start indexing. You can do this by defining custom source types and hosts (through rule-based source type assignment, source type overriding, input-based host assignment, and host overrides), so that these things are handled during the indexing process.
On the other hand, if you have already begun to index your data, you might want to handle the issue at search time. Otherwise, you will need to re-index your data, in order to apply the custom source types and hosts to your existing data as well as new data. After indexing, you can't change the host or source type assignments, but you can tag them with alternate values and manage the issue that way.
As a general rule, it is better to perform most knowledge-building activities, such as field extraction, at search time. Additional, custom field extraction, performed at index time, can degrade performance at both index time and search time. When you add to the number of fields extracted during indexing, the indexing process slows. Later, searches on the index are also slower, because the index has been enlarged by the additional fields, and a search on a larger index takes longer. You can avoid such performance issues by instead relying on search-time field extraction. For details on search-time field extraction, see "About fields" and "Create search-time field extractions" in the Knowledge Manager manual.
At index time
Index-time processes take place just before event data is actually indexed.
The following processes can occur during (or before) index time:
- Default field extraction (such as
- Static or dynamic host assignment for specific inputs
- Default host assignment overrides
- Source type customization
- Index-time field extraction
- Event timestamping
- Event linebreaking
- Event segmentation (also happens at search time)
At search time
Search-time processes take place while a search is run, as events are collected by the search. The following processes occur at search time:
How indexing works
Advanced indexing strategy
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7