topic Re: Why is a search for fields added with _meta in inputs.conf not returning any results? in Splunk Search

Why is a search for fields added with _meta in inputs.conf not returning any results?

rainerzufall — Tue, 29 Sep 2020 09:20:12 GMT

Hello,

We added several fields with the _meta keyword in inputs.conf. When we search for the fields with "field::value" it is working, but when using "field=value" instead, there are no results.
We already added the new fields in fields.conf with "INDEXED=true" and "INDEXED_VALUE = false" options on our Search Heads, or is it needed to adapt the fields.conf settings on the Indexers as well?

Is there anything else to keep in mind?

Thanks,
Rainer

Re: Why is a search for fields added with _meta in inputs.conf not returning any results?

ddrillic — Mon, 11 Apr 2016 15:43:33 GMT

This syntax of field::value is for for a tag followed by a field name.

It's interesting whether this tagging relates to your case -
http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Tagthehostfield

Re: Why is a search for fields added with _meta in inputs.conf not returning any results?

MuS — Mon, 11 Apr 2016 20:51:48 GMT

Hi rainerzufall,

if your inputs.conf looks like this:

[monitor::/source_file]
_meta = foo::boo

your fields.conf on the SH and IDX must look like this:

[foo]
INDEXED = true

You then can search for it using this search:

index="IndexNameHere" source="/source_file" foo="boo"

If it still does not work, check the configs using btool if they are applied correct and there is no over writing values happening because of .conf file precedence.

Hope this helps ...

cheers, MuS

PS: You only need to set indexed_value if indexed = false http://docs.splunk.com/Documentation/Splunk/6.4.0/admin/Fieldsconf

Re: Why is a search for fields added with _meta in inputs.conf not returning any results?

martin_mueller — Mon, 11 Apr 2016 21:07:28 GMT

field::value is an old way of searching for fields that currently means "this field is an indexed field, regardless of fields.conf".
The tag search tag::host=foo is entirely unrelated.

Re: Why is a search for fields added with _meta in inputs.conf not returning any results?

rainerzufall — Tue, 12 Apr 2016 18:10:58 GMT

Thanks - I'll add the fields config on the Indexer as well.

Re: Why is a search for fields added with _meta in inputs.conf not returning any results?

ppablo — Tue, 12 Apr 2016 23:42:33 GMT

Hi @rainerzufall

Glad you got some insight from @MuS 🙂 If his solution answered your question, don't forget to resolve the post by clicking "Accept" directly below his answer. This will make the solution easier to find for other users with the same issue. Thanks!

Re: Why is a search for fields added with _meta in inputs.conf not returning any results?

rainerzufall — Wed, 13 Apr 2016 10:57:12 GMT

after applying the fields.conf to the indexer configuration, everything is fine now, even for old events...

Re: Why is a search for fields added with _meta in inputs.conf not returning any results?

mhoogcarspel_sp — Wed, 23 Aug 2017 10:28:35 GMT

Since 6.6, the fields.conf is applied from the search head's configuration:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Installation/Aboutupgradingto6.6READTHISFIRST#Indexers_in_a_distributed_Splunk_environment_now_respect_the_INDEXED_setting_in_fields.conf_on_search_heads_only

If you added it via an app (via a deployer or otherwise),
you will need to export it to "system" if you want the setting to apply outside of the app:

in etc/apps//metadata/default.meta add:
[fields]
export = system

Re: Why is a search for fields added with _meta in inputs.conf not returning any results?

matthewssa — Wed, 17 Oct 2018 15:14:42 GMT

Not only if you deploy the fields.conf in an app but /etc/system/local as well. The field would show up in a search but as soon as you try to search for a specific field value it would return no results. I had to add the export = system if I was deploying it to /etc/system/local