Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to assign/create indexed field in Splunk?

SplunkDash
Motivator
‎05-24-2022 09:28 AM

Hello,

I have huge volume of data coming in under different source types (or indexes) for different applications/projects. Are there any ways we can assign any indexed fields for each of the data sources/indexes/apps? As an example, most of the cases ACCOUNTID and IPAddress are the unique fields for each of the applications/Projects. How would I assign these 2 fields as indexed fields? Any thoughts or recommendations would be highly appreciated. Thank you so much.

Labels (2)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-24-2022 12:39 PM

Create a props.conf file (put it in your org's custom app) with a stanza for each sourcetype.  In each stanza, put TRANSFORM setting that indexes the desired field.  You'll need a matching stanza in transforms.conf that uses FORMAT or INGEST_EVAL to index the field.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

SplunkDash
Motivator
‎05-25-2022 08:50 PM

Hello,

Using this recommended transforms.conf to have the indexed field is going to be an indexed time field extraction?  Thank you so much again!

 

0 Karma
Reply

SplunkDash
Motivator
‎05-24-2022 12:58 PM

Hello,

Thank you so much for your quick response. Are there any other ways instead of using Transforms.conf file, as typically, we don't use transforms.conf file in our UFs/HFs push. Thank you so much.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-26-2022 05:28 AM

I know of no other ways.

Transforms cannot be used in a UF.  They can only be used in HF and indexer.

---
If this reply helps you, Karma would be appreciated.
Reply

SplunkDash
Motivator
‎05-26-2022 06:44 AM

Hello,

Thank you so much for your quick response., truly appreciate it. 

The main reason we wanted to use indexed fields is to optimize the search/base search. But, using indexed field and indexed time field extraction may cause some performance issues. We have huge volume of data and a several source types/indexes with unique ACCOUNTID and IPAddress fields, do you have any recommendation how to optimize the base search (search) in real time as we require to search over a wide range/period of time. Thank you so much, any recommendations will be helpful and greatly appreciated.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...