https://community.splunk.com/t5/All-Apps-and-Add-ons/Indexed-vs-search-fields-Indexed-fields-vs-search-time-fields/m-p/499924#M61562 <P>That's exactly what I wrote.</P> Thu, 26 Mar 2020 18:09:52 GMT martin_mueller 2020-03-26T18:09:52Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Indexed-vs-search-fields-Indexed-fields-vs-search-time-fields/m-p/499917#M61555 <P>Does KO explorer show which fields are indexed and which not? This has always been a challenge and anything which does this would be helpful.<BR /> I couldn't find a direct answer in the doc or screenshots, but may have just missed it.</P> <P>This is handy to know if you want to manipulate lispy etc. and do other optimisations on searches.</P> Wed, 25 Mar 2020 03:33:20 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Indexed-vs-search-fields-Indexed-fields-vs-search-time-fields/m-p/499917#M61555 charlesmeo 2020-03-25T03:33:20Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Indexed-vs-search-fields-Indexed-fields-vs-search-time-fields/m-p/499918#M61556 <P>No, the KO Explorer doesn't distinguish between indexed fields and search time fields. It translates your search into normalizedSearch, indexed fields don't play a role there - that's lispy (see <A href="https://conf.splunk.com/watch/conf-online.html?search=fn1003" target="_blank">https://conf.splunk.com/watch/conf-online.html?search=fn1003</A> for more).</P> <P>From a search perspective it's not easy to answer "is this field indexed or not?", at least not generically. In principle the answer could be different from one event to the next. Things you can do:</P> <UL> <LI>check fields.conf for fields that have explicitly been marked as indexed</LI> <LI>check props.conf for INDEXED_EXTRACTIONS</LI> <LI>check transforms.conf for stanzas that generate indexed fields</LI> <LI>use tstats or the :: syntax to check specific fields in specific events, e.g. <CODE>| tstats count where index=foo sourcetype=bar by maybe_indexed_field</CODE> will only return results if maybe_indexed_field is indexed. Similarly, if <CODE>index=foo sourcetype=bar field=value</CODE> yields results but <CODE>index=foo sourcetype=bar field::value</CODE> does not, <CODE>field</CODE> is likely not indexed [caveat: some weirdnesses exist with :: around complex values such as spaces, quotes, etc.]</LI> <LI>use the walklex command (7.3+, CLI only below that) to list all index-time fields... probably the best approach for discovery: <CODE>| walklex index=_internal type=field</CODE></LI> </UL> <P>Finally, you can promote <A href="https://ideas.splunk.com/ideas/E-I-70" target="_blank">https://ideas.splunk.com/ideas/E-I-70</A> ("Add an Explain/Debug Mode to display how fields were created") to maybe get an improvement added to core in some future release.</P> Wed, 30 Sep 2020 04:46:02 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Indexed-vs-search-fields-Indexed-fields-vs-search-time-fields/m-p/499918#M61556 martin_mueller 2020-09-30T04:46:02Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Indexed-vs-search-fields-Indexed-fields-vs-search-time-fields/m-p/499919#M61557 <P>I have voted for the Idea as suggested. </P> <P>But there's still something here I don't get. I thought indexed fields DID play a role in the lispy. If you happen to know you are dealing with one, you can use the <STRONG>::</STRONG> operator instead of <STRONG>=</STRONG>, and the lispy is different.<BR /> But since there is no easy way to figure out whether a field is indexed or not (for custom fields) you don't have this option.</P> <P>Perhaps a future version of KO Explorer could at least inspect fields.conf and let the user know if a field might be indexed? Or is this not worth doing?<BR /> I am finding lispy quite confusing. I am a splunker of long standing but haven't looked under this particular rock before now.</P> Wed, 25 Mar 2020 23:22:05 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Indexed-vs-search-fields-Indexed-fields-vs-search-time-fields/m-p/499919#M61557 charlesmeo 2020-03-25T23:22:05Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Indexed-vs-search-fields-Indexed-fields-vs-search-time-fields/m-p/499920#M61558 <P>Indexed fields can play a role in lispy, but the KO Explorer doesn't deal with lispy. Its purpose is knowledge objects, ie search time things. Tags, Eventtypes, calculated fields, field aliases, stuff like that... things that cause normalizedSearch to explode in bad cases. Indexed fields don't matter there.</P> <P>A key word in that first sentence is <EM>can</EM>. Many indexed fields will work even if lispy treats them as search time, ie if <CODE>field=value</CODE> is translated to a lispy of <CODE>[ AND value ]</CODE> instead of <CODE>[ AND field::value ]</CODE> (see linked conf talk for more depth and breadth). As a result, fields.conf will only yield a small fraction of indexed fields.</P> <P>I've added two more things to consider to the original answer.</P> Wed, 25 Mar 2020 23:29:17 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Indexed-vs-search-fields-Indexed-fields-vs-search-time-fields/m-p/499920#M61558 martin_mueller 2020-03-25T23:29:17Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Indexed-vs-search-fields-Indexed-fields-vs-search-time-fields/m-p/499921#M61559 <P>Accepted the answer, which is of course correct but still leaves open the substance of your Idea.</P> <P>I had forgotten about INDEXED_EXTRACTIONS. Of course fields.conf won't give you anywhere near complete coverage. You would potentially need to go out to all the forwarders and see what they're up to as well. Alternatively, this is a good use case for splunking your git repo of splunk configurations I would think.</P> <P>But in general it seems, no magic bullets for this. C'est la vie..</P> Wed, 25 Mar 2020 23:49:42 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Indexed-vs-search-fields-Indexed-fields-vs-search-time-fields/m-p/499921#M61559 charlesmeo 2020-03-25T23:49:42Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Indexed-vs-search-fields-Indexed-fields-vs-search-time-fields/m-p/499922#M61560 <P>TBH, walklex is close to a magic bullet <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P> Thu, 26 Mar 2020 16:11:45 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Indexed-vs-search-fields-Indexed-fields-vs-search-time-fields/m-p/499922#M61560 martin_mueller 2020-03-26T16:11:45Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Indexed-vs-search-fields-Indexed-fields-vs-search-time-fields/m-p/499923#M61561 <P>Au contraire mon frère: as of v7.3.0 <CODE>walklex</CODE> is also SPL!<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Walklex">https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Walklex</A></P> Thu, 26 Mar 2020 17:01:26 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Indexed-vs-search-fields-Indexed-fields-vs-search-time-fields/m-p/499923#M61561 woodcock 2020-03-26T17:01:26Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Indexed-vs-search-fields-Indexed-fields-vs-search-time-fields/m-p/499924#M61562 <P>That's exactly what I wrote.</P> Thu, 26 Mar 2020 18:09:52 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Indexed-vs-search-fields-Indexed-fields-vs-search-time-fields/m-p/499924#M61562 martin_mueller 2020-03-26T18:09:52Z