Re: Fluentbit logs sent through HEC and I am not a... - Splunk Community

All Apps and Add-ons

When i see the fields in the left hand side with 'X' no of event's and when i select any value it's not giving me the event's , if i add this in the search I am able to get it.

index= fluentbit KUBERNETES_NAMESPACE = "XXXX" --- Doesn't work
index= fluentbit KUBERNETES_NAMESPACE = XXXX --- Doesn't work
index= fluentbit KUBERNETES_NAMESPACE :: "XXXX" -- work's

I have added the fields in the fields.conf but nothing seems to work ?

The answer from @mhoogcarspel_splunk is correct. If it isn't working, try also adding:

INDEXED_VALUE = true

If that doesn't work, then open a support case with splunk.

if KUBERNETES_NAMESPACE::XXXX works then add
fields.conf
[KUBERNETES_NAMESPACE]
INDEXED=true

to your search head

I have added this in my SH's but I am seeing the same pattern where event's are not returning any values.

Standalone / Distributed env.? Spunk version..?
Check
https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Configureindex-timefieldextraction

V

This is a Distributed Environment , and the splunk version is : 7.1.2

Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members! The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...