What is the role of INDEXED_VALUE in fields.conf

brandy81 · ‎03-10-2021

Hi,

There is the description for INDEXED_VALUE in fields.conf

INDEXED_VALUE = [true|false|<sed-cmd>|<simple-substitution-string>]
* Set this to true if the value is in the raw text of the event.
* Set this to false if the value is not in the raw text of the event.
* Setting this to true expands any search for key=value into a search of
  value AND key=value (since value is indexed).

* NOTE: You only need to set indexed_value if indexed = false.

INDEXED_VALUE is used when indexed = false according to the description. Then, when is the option INDEXED_VALUE used? Which circumstances require this option?

Is there a case where only value is indexed and key(field) is not indexed?

The description makes me confused.. Hope anyone help me out.

Thanks a lot.

isoutamo · ‎03-11-2021

Hi

Maybe these answers, blogs and docs helps to understand this?

r. Ismo

What is the role of INDEXED_VALUE in fields.conf

administration

configuration

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

What is the role of INDEXED_VALUE in fields.conf

administration

configuration

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25