Archive
Highlighted

Need some more clarification on _meta value while using.

Explorer

Hi Folks,

we have ingested the logs from microsoft azure using microsoft cloud services app on HF and we added some custom field in data input(inputs.conf) meta=accountname::mscdes01 as that field is not present in raw logs. also added fields.conf on both indexer and search head and able to see the account_name field in the logs and looks good.

fields.conf- [account_name]
INDEXED = true

Here i have couple of questions.
1. will it create any performance issue if we using _meta option on HF.
2. can i create fields.conf file on HF instead creating on indexer & SH.
will it index the field if i create on HF.
3. why we are creating fields.conf on IDX and SH to extract that field.

Tags (1)
0 Karma
Highlighted

Re: Need some more clarification on _meta value while using.

SplunkTrust
SplunkTrust

Hey,

  1. I don't see any issues, besides the increasing disk space consumption.
  2. You can, but it won't have the same (necessary) effect
  3. You need to tell the other instances that a field with that name was extracted at index time. If you don't do that, you'll get strange behavior when trying to search with it.

View solution in original post

0 Karma
Highlighted

Re: Need some more clarification on _meta value while using.

Explorer

Thanks for sharing the information, as you said we can add it fields.conf on HF instead of adding IDX and SH.

  1. will it index that field.
  2. what is best practice to add fileds.conf with INDEXED=True value , should we add on HF or IDX and SH.
0 Karma
Highlighted

Re: Need some more clarification on _meta value while using.

SplunkTrust
SplunkTrust

You CAN add the fields.conf on the HF, but it is only required for instances that are starting searches. So, unless your HF is used as a SH, no need for fields.conf there.
It is required on every search head!

0 Karma
Highlighted

Re: Need some more clarification on _meta value while using.

Explorer

Thanks, what about indexer do i need to add the fields.conf on both like HF and indexer.

0 Karma
Highlighted

Re: Need some more clarification on _meta value while using.

SplunkTrust
SplunkTrust

It is only required on the search head(s).

0 Karma