Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How does Field discovery work on Search heads?

richnavis
Contributor
‎05-02-2011 06:40 AM

I have a Splunk Search head that gets data from a Splunk Server that is indexing IIS logs. When I Query on the Indexing Server, SPlunk Autodiscovers the IIS headers which allows me to query using those headers.

Example: index=iis sc_status="404".

However, the fields aren't autodiscovered on the search head, so the same query doesn't return any results. Does anyone know how to populate the autodiscovered IIS fields on a search head?

Tags (2)
0 Karma
Reply

hazekamp
Builder
‎05-02-2011 09:45 AM

rnavis,

By default Splunk applies a property called "KV_MODE = auto" which will extract keys and values separated by an equal (=) sign. In this case it should extract "sc_status". This would occur when searches are executed from the search head and distributed to the indexers, or the search is executed directly on the indexer.

There are a few things that would disable this:

  1. Setting "KV_MODE = none" on host/source/sourcetype
  2. Field discovery switch is set to off in search view (flashtimeline)
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...