Physics, asked by rewantdumbhare7896, 1 year ago

What is the difference between field extraction and field transformation in splunk?

Answers

Answered by nikita5140
0

different between difference between experience and extraction


akash2542: hllwwe
akash2542: mam
Answered by busamgopichand
0

Answer:

They are the same except that EXTRACT is inlined so only exists in props.conf whereas REPORT is 2-part with half in props.conf and the other half in transforms.conf. If later extractions depend on other extractions, you should definitely use REPORT so that you can clearly control which ones happen first. Also, if you have the same extractions for multiple sourcetypes, it is easier to have a single copy in transforms.conf so that any changes/fixes to it are done on 1 line in 1 file instead of on multiple lines in multiple files. Honestly, EXTRACT is lazy; I always do REPORT; I cannot think of any real advantage to EXTRACT.

Explanation:

Source : https://answers.splunk.com/answers/505202/inline-field-extracted-vs-transformation.html

Similar questions