Indexed field case 5 - unneeded work

Once you learn to make indexed fields, it may be tempting to convert all your important fields into indexed fields. In most cases, it is essentially a wasted effort and ends up using extra disk space, wasting license, and adding no performance boost.

For example, consider this log message:

4/2/12 6:35:50.000 PM [vincentbumgarner] [893783] sudo bash 

Assuming that the layout of this message is as follows, it might be tempting to put both userid and pid into indexed fields:

date [userid] [pid] action 

Since the values are uncommon, and are unlikely to occur in unrelated locations, defining these fields as indexed fields is most likely wasteful. It is much simpler to define these fields as extracted fields and shield ourselves from the disadvantages of indexed fields.