Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need some more clarification on _meta value while using.

lksridhar
Explorer
‎05-21-2018 11:53 PM

Hi Folks,

we have ingested the logs from microsoft azure using microsoft cloud services app on HF and we added some custom field in data input(inputs.conf) _meta=account_name::mscdes01 as that field is not present in raw logs. also added fields.conf on both indexer and search head and able to see the account_name field in the logs and looks good.

fields.conf- [account_name]
INDEXED = true

Here i have couple of questions.
1. will it create any performance issue if we using _meta option on HF.
2. can i create fields.conf file on HF instead creating on indexer & SH.
will it index the field if i create on HF.
3. why we are creating fields.conf on IDX and SH to extract that field.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-22-2018 12:13 AM

Hey,

  1. I don't see any issues, besides the increasing disk space consumption.
  2. You can, but it won't have the same (necessary) effect
  3. You need to tell the other instances that a field with that name was extracted at index time. If you don't do that, you'll get strange behavior when trying to search with it.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-22-2018 12:13 AM

Hey,

  1. I don't see any issues, besides the increasing disk space consumption.
  2. You can, but it won't have the same (necessary) effect
  3. You need to tell the other instances that a field with that name was extracted at index time. If you don't do that, you'll get strange behavior when trying to search with it.
0 Karma
Reply
Solved! Jump to solution

lksridhar
Explorer
‎05-22-2018 12:28 AM

Thanks for sharing the information, as you said we can add it fields.conf on HF instead of adding IDX and SH.

  1. will it index that field.
  2. what is best practice to add fileds.conf with INDEXED=True value , should we add on HF or IDX and SH.
0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-22-2018 12:43 AM

You CAN add the fields.conf on the HF, but it is only required for instances that are starting searches. So, unless your HF is used as a SH, no need for fields.conf there.
It is required on every search head!

0 Karma
Reply
Solved! Jump to solution

lksridhar
Explorer
‎05-22-2018 02:48 AM

Thanks, what about indexer do i need to add the fields.conf on both like HF and indexer.

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-22-2018 04:26 AM

It is only required on the search head(s).

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...