Getting Data In

Search using metadata returns different results

New Member

I'm getting different search results for the metadata I added to my log events. What did I misconfigure?

Added to inputs.conf on forwarder: _meta = datacenter::aws
Added to fields.conf on forwarder: [datacenter] INDEXED=true

Returns very few results:
datacenter=aws

Returns all results:
datacenter::aws

0 Karma

Splunk Employee
Splunk Employee

In this case, you need to have the fields.conf on your search head (where you’re searching.)

Additionally, there is an inherent difference between a search for field=a and field::a

The later of these is relevant for indexed fields. Search through your job inspector to see how the jobs are parsed differently.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!