Splunk indexers — metrics data — HEC fields vs INDEXED_EXTRACTIONS changes the bucket

A discussion around Splunk metrics indexes and how using different ingestion methods changes the bucket. In our production environment, we encountered challenges with high cardinality metrics indexes, specifically those receiving metric data with a large number of unique dimension values.

The full post is available on medium, Splunk indexers — metrics data — HEC fields vs INDEXED_EXTRACTIONS changes the bucket, and on Splunk lantern, Preventing premature bucket rolling in metrics indexes.