All Apps and Add-ons

Fluentbit logs sent through HEC and I am not able to search the field values except by adding "::"

godman
Path Finder

When i see the fields in the left hand side with 'X' no of event's and when i select any value it's not giving me the event's , if i add this in the search I am able to get it.

index= fluentbit KUBERNETES_NAMESPACE = "XXXX" --- Doesn't work
index= fluentbit KUBERNETES_NAMESPACE = XXXX --- Doesn't work
index= fluentbit KUBERNETES_NAMESPACE :: "XXXX" -- work's

I have added the fields in the fields.conf but nothing seems to work ?

0 Karma

woodcock
Esteemed Legend

The answer from @mhoogcarspel_splunk is correct. If it isn't working, try also adding:

INDEXED_VALUE = true

If that doesn't work, then open a support case with splunk.

0 Karma

mhoogcarspel_sp
Splunk Employee
Splunk Employee

if KUBERNETES_NAMESPACE::XXXX works then add
fields.conf
[KUBERNETES_NAMESPACE]
INDEXED=true

to your search head

godman
Path Finder

I have added this in my SH's but I am seeing the same pattern where event's are not returning any values.

0 Karma

vasanthmss
Motivator
0 Karma

godman
Path Finder

This is a Distributed Environment , and the splunk version is : 7.1.2

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!