What is the role of INDEXED_VALUE in fields.conf

brandy81 · ‎03-10-2021

Hi,

There is the description for INDEXED_VALUE in fields.conf

INDEXED_VALUE = [true|false|<sed-cmd>|<simple-substitution-string>]
* Set this to true if the value is in the raw text of the event.
* Set this to false if the value is not in the raw text of the event.
* Setting this to true expands any search for key=value into a search of
  value AND key=value (since value is indexed).

* NOTE: You only need to set indexed_value if indexed = false.

INDEXED_VALUE is used when indexed = false according to the description. Then, when is the option INDEXED_VALUE used? Which circumstances require this option?

Is there a case where only value is indexed and key(field) is not indexed?

The description makes me confused.. Hope anyone help me out.

Thanks a lot.

isoutamo · ‎03-11-2021

Hi

Maybe these answers, blogs and docs helps to understand this?

r. Ismo

What is the role of INDEXED_VALUE in fields.conf

administration

configuration

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms