Re: Fluentbit logs sent through HEC and I am not a... - Splunk Community

All Apps and Add-ons

When i see the fields in the left hand side with 'X' no of event's and when i select any value it's not giving me the event's , if i add this in the search I am able to get it.

index= fluentbit KUBERNETES_NAMESPACE = "XXXX" --- Doesn't work
index= fluentbit KUBERNETES_NAMESPACE = XXXX --- Doesn't work
index= fluentbit KUBERNETES_NAMESPACE :: "XXXX" -- work's

I have added the fields in the fields.conf but nothing seems to work ?

The answer from @mhoogcarspel_splunk is correct. If it isn't working, try also adding:

INDEXED_VALUE = true

If that doesn't work, then open a support case with splunk.

if KUBERNETES_NAMESPACE::XXXX works then add
fields.conf
[KUBERNETES_NAMESPACE]
INDEXED=true

to your search head

I have added this in my SH's but I am seeing the same pattern where event's are not returning any values.

Standalone / Distributed env.? Spunk version..?
Check
https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/Configureindex-timefieldextraction

V

This is a Distributed Environment , and the splunk version is : 7.1.2

Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...