Why is index-time configuration expensive, and when do you use it? [Intermediate]
Answer
Index-time configuration is expensive because it affects ingestion, storage, license usage, parsing queues, and sometimes requires reindexing to correct historical data. I use it only when there is a strong operational, security, or performance reason.
Technical explanation
Index-time transformations are applied before data is stored, so mistakes can permanently change indexed data.
They can increase CPU load on parsing/indexing tiers and add operational complexity.
Valid uses include timestamp correction, line breaking, routing, nullQueue filtering, sourcetype assignment, and sensitive-data masking.
Hands-on example
Example: if logs contain credit-card numbers, use index-time masking or filtering before indexing because search-time masking is too late. For a normal application field like feature_flag, use search-time extraction instead.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Observability interview questions
- What is observability, and how is it different from traditional monitoring? [Basic]
- What are the three pillars of observability (metrics, logs, traces)? [Basic]
- What is the difference between monitoring and observability in practice? [Basic]
- What are the four golden signals of monitoring? [Basic]
- What is the difference between the USE method and the RED method? [Basic]
- When would you use the USE method versus the RED method? [Basic]
- What is an SLI, an SLO, and an SLA, and how do they relate? [Basic]
- How do you choose good SLIs for a service? [Basic]