Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How does Field discovery work on Search heads?

richnavis
Contributor
‎05-02-2011 06:40 AM

I have a Splunk Search head that gets data from a Splunk Server that is indexing IIS logs. When I Query on the Indexing Server, SPlunk Autodiscovers the IIS headers which allows me to query using those headers.

Example: index=iis sc_status="404".

However, the fields aren't autodiscovered on the search head, so the same query doesn't return any results. Does anyone know how to populate the autodiscovered IIS fields on a search head?

Tags (2)
0 Karma
Reply

hazekamp
Builder
‎05-02-2011 09:45 AM

rnavis,

By default Splunk applies a property called "KV_MODE = auto" which will extract keys and values separated by an equal (=) sign. In this case it should extract "sc_status". This would occur when searches are executed from the search head and distributed to the indexers, or the search is executed directly on the indexer.

There are a few things that would disable this:

  1. Setting "KV_MODE = none" on host/source/sourcetype
  2. Field discovery switch is set to off in search view (flashtimeline)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...