Getting Data In

Search using metadata returns different results

New Member

I'm getting different search results for the metadata I added to my log events. What did I misconfigure?

Added to inputs.conf on forwarder: _meta = datacenter::aws
Added to fields.conf on forwarder: [datacenter] INDEXED=true

Returns very few results:
datacenter=aws

Returns all results:
datacenter::aws

0 Karma
Highlighted

Re: Search using metadata returns different results

Splunk Employee
Splunk Employee

In this case, you need to have the fields.conf on your search head (where you’re searching.)

Additionally, there is an inherent difference between a search for field=a and field::a

The later of these is relevant for indexed fields. Search through your job inspector to see how the jobs are parsed differently.

0 Karma