What is the difference between search-time and index-time field extraction? [Intermediate]
Answer
Search-time field extraction happens when a search runs; index-time extraction happens before or during indexing and stores fields in a way that can affect indexing and search performance. Search-time is more flexible; index-time is more permanent and expensive to change.
Technical explanation
Search-time extractions are preferred for most fields because they can be changed without reindexing data.
Index-time extractions are used when fields must be indexed for performance, routing, masking, or compliance requirements.
Poor index-time decisions can increase storage and create long-term maintenance problems.
Hands-on example
Example: extract error_code and order_type at search time from JSON logs. Use index-time processing only to set host, source, sourcetype, timestamp, line breaking, routing, or to mask a secret before data is written.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Observability interview questions
- What is observability, and how is it different from traditional monitoring? [Basic]
- What are the three pillars of observability (metrics, logs, traces)? [Basic]
- What is the difference between monitoring and observability in practice? [Basic]
- What are the four golden signals of monitoring? [Basic]
- What is the difference between the USE method and the RED method? [Basic]
- When would you use the USE method versus the RED method? [Basic]
- What is an SLI, an SLO, and an SLA, and how do they relate? [Basic]
- How do you choose good SLIs for a service? [Basic]