All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I get Splunk DB Connect to recognize my custom fields?

ichea
Engager
‎10-29-2018 08:57 AM

A few weeks ago I downloaded the Trial Splunk Enterprise version and installed the Splunk DB Connect app to output my data to a SQL Server database. It is working but for some reason the custom fields I have created do not get sent to my database yet the default fields do. I tried multiple approaches and I found when I have a search containing a custom field no data will get sent. if I do a search using a default field I will get the expected results but the information from my custom fields will not populate in the DB. However, setting up the search with the custom fields does return results within the DB Connect interface. I am thinking that I need to add something like

[myField]
INDEXED = True
INDEXED_VALUE = False

to the config files but I'm new to Splunk and I'm not sure which one(s) because I can't see which file contains the defaults. Please, any thoughts or suggestions would be much appreciated. Thank you in advance.

0 Karma
Reply

kheo_splunk
Splunk Employee
Splunk Employee
‎11-07-2018 10:16 PM

If you'd like to create a custom field at search time in Splunk, props.conf is the one where you need to put proper regex.

Please start looking at http://docs.splunk.com/Documentation/Splunk/7.2.0/Knowledge/Createandmaintainsearch-timefieldextract... and check whether the field you have configured does appear on "INTERESTING FIELDS" pane on the left side in Search & Reporting app.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...