https://community.splunk.com/t5/Splunk-Search/meta-fields-why-am-I-unable-to-search-for-all-of-the-events/m-p/446587#M167614 <P>You are using indexed time extration. You have to supply required fileds props and transforms to the search peers. If you are using heavy forwarder confs should to be in hf.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Configureindex-timefieldextraction">https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Configureindex-timefieldextraction</A></P> Sat, 16 Feb 2019 05:08:34 GMT vasanthmss 2019-02-16T05:08:34Z https://community.splunk.com/t5/Splunk-Search/meta-fields-why-am-I-unable-to-search-for-all-of-the-events/m-p/446584#M167611 <P>I am not able to search for all of the events from the fields. When i try field::value , I can see all of the events. But with field=value , only some of the events are searchable.<BR /> updated my fields.conf with [field] INDEXED = true , but do i also need to update my inputs.conf with the fields and its values? There are going to be more values for the fields, and it can be hard to update all of them? </P> Fri, 07 Sep 2018 18:45:18 GMT https://community.splunk.com/t5/Splunk-Search/meta-fields-why-am-I-unable-to-search-for-all-of-the-events/m-p/446584#M167611 godman 2018-09-07T18:45:18Z https://community.splunk.com/t5/Splunk-Search/meta-fields-why-am-I-unable-to-search-for-all-of-the-events/m-p/446585#M167612 <P>Hi @godman,</P> <P>Not sure if this helps, but I stumbled upon this answers post that seems similar to yours. Thought I'd pass it along just in case. <A href="https://answers.splunk.com/answers/389567/why-is-a-search-for-fields-added-with-meta-in-inpu.html">https://answers.splunk.com/answers/389567/why-is-a-search-for-fields-added-with-meta-in-inpu.html</A></P> Fri, 07 Sep 2018 19:11:35 GMT https://community.splunk.com/t5/Splunk-Search/meta-fields-why-am-I-unable-to-search-for-all-of-the-events/m-p/446585#M167612 mstjohn_splunk 2018-09-07T19:11:35Z https://community.splunk.com/t5/Splunk-Search/meta-fields-why-am-I-unable-to-search-for-all-of-the-events/m-p/446586#M167613 <P>In this example they only have one value for the field and in my case i have many values for each field and i am not able to add all of them to the inputs.conf .</P> Fri, 07 Sep 2018 20:32:21 GMT https://community.splunk.com/t5/Splunk-Search/meta-fields-why-am-I-unable-to-search-for-all-of-the-events/m-p/446586#M167613 godman 2018-09-07T20:32:21Z https://community.splunk.com/t5/Splunk-Search/meta-fields-why-am-I-unable-to-search-for-all-of-the-events/m-p/446587#M167614 <P>You are using indexed time extration. You have to supply required fileds props and transforms to the search peers. If you are using heavy forwarder confs should to be in hf.</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Configureindex-timefieldextraction">https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Configureindex-timefieldextraction</A></P> Sat, 16 Feb 2019 05:08:34 GMT https://community.splunk.com/t5/Splunk-Search/meta-fields-why-am-I-unable-to-search-for-all-of-the-events/m-p/446587#M167614 vasanthmss 2019-02-16T05:08:34Z