Using the Splunk-connect for kubernetes we are sending data from several kubernetes clusters to our Splunk cloud instance. We get search results when looking through logs, but often we have events that do not have the containerid, namespace, containername, or any other kubernetes data in the event itself.
The default drilldown from search results will add 'containername=' to the current search. This breaks of course because the field isn't defined and is not indexed. Our users, there are many, must then manually change the 'containername='. to 'container_name::'. And then must repeat this for any further drilldown attempts or changes to the search.
Has anyone successfully been able to add a field that does NOT exist in the event data to a Splunk Cloud instance so the "INDEXED_VALUE=FALSE" can then be added to the field so that "hopefully" native Splunk drill downs will work for this data? The field extractor and other field extractor tools have not been helpful so far as the field doesn't actually exist in the events. It's added through splunk connect for kubernetes.
Thanks for any advice that can be offered. Yes, we've already read through a lot of documents and previous tickets with no luck. We've also had a ticket opened with Splunk Support on this for a couple of weeks, with no progress.