I am extracting one field at index time from source field using regex and while searching field value sometime I am unable to search field value though In events it is being extracted
and currently in my fields.conf is like below
[ID]
INDEXED = true
I have gone through https://www.splunk.com/blog/2011/10/07/cannot-search-based-on-an-extracted-field.html
which says INDEXED_VALUE = false
so if I update field.conf then my stanza will become-
[ID]
INDEXED = true
INDEXED_VALUE = false
and If I update above then does it will affect on already indexed fields?
and while checking https://docs.splunk.com/Documentation/Splunk/7.3.1/admin/Fieldsconf I see - NOTE: You only need to set indexed_value if indexed = false.
but in my case indexed=true is set. please clarify.
Thanks.
Indexed data cannot be ultered, however it is best practice to have a test index to fiddle with until you get it right (use one-shot command too!).
Ideally you dont really need to set the parameter INDEXED_VALUE = false as this alone should be enough:
[ID]
INDEXED = True
It will only effect your indexed fields if you haven't setup the fields.conf parameter (to make them appear on the side panel).
about your issue with searching the fields, I would say, make sure you set your configs BEFORE realeasing the data from your UFs. i.e in a clustered env, push the configs to peers from the master first and THEN ingest the data , that way, the configs are applied to the incoming data correctly.
Hope this helps,
Musa
Nothing can affect already-indexed fields.