Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the role of INDEXED_VALUE in fields.conf

brandy81
Path Finder
‎03-10-2021 11:04 PM

Hi, 

There is the description for INDEXED_VALUE in fields.conf

INDEXED_VALUE = [true|false|<sed-cmd>|<simple-substitution-string>]
* Set this to true if the value is in the raw text of the event.
* Set this to false if the value is not in the raw text of the event.
* Setting this to true expands any search for key=value into a search of
  value AND key=value (since value is indexed).

* NOTE: You only need to set indexed_value if indexed = false.

INDEXED_VALUE is used when indexed = false according to the description. Then, when is the option INDEXED_VALUE used? Which circumstances require this option?

Is there a case where only value is indexed and key(field) is not indexed?

The description makes me confused.. Hope anyone help me out.

Thanks a lot.

Labels (2)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top