Menu
Assuming that I have json logs formatted like
{
level: INFO,
logger: com.mantkowicz.test.TestLogger,
message: Just a simple test log message
}
what is the difference between such two searches:
A) ... | message = "Just a simple test log message"
B) ... | spath message | search message = "Just a simple test log message"
Is there any performance drawback? Should I prefer one of these?
360
You should probably go with the first approach and remove the need for spath.
Depending on your use case, you could also look at JSON indexed extractions, KV_MODE=json which can do the field extractions at index time, rather than every search.
71
answered Sep 08 '25 11:09
You may find that search A doesn't work if there is no 'message' field extracted. In that case, you'll need search B or extract fields at index-time as @Simon Duff suggested.
32
answered Sep 08 '25 11:09
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
