Splunk Search

About "https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Configureindex-timefieldextraction#Add_an_entry_to_fields.conf_for_the_new_field".

yutaka1005
Builder

There is following description in this manual.

For example, say you're performing a simple <field>::1234 extraction at index time. This could work, but you would have problems if you also implement a search-time field extraction based on a regex like A(\d+)B, where the string A1234B yields a value for that field of 1234. This would turn up events for 1234 at search time that Splunk would be unable to locate at index time with the <field>::1234 extraction.

I don't feel that Splunk is completely a "schema on the fly" in this specification...
Is this specification never modified?

I hope that it will be changed.

0 Karma
1 Solution

woodcock
Esteemed Legend

That text is AWFUL. What they are trying to say is that if you isolate a value for a field at index time where the value is not prefixed/bounded by major/minor-breakers, you need to tell splunk this by using INDEXED_VALUE=false. This is important because Splunk needs to know that the value for this field is not part of the tsidx/strings list. I submitted dox feedback pointing to this Q&A and hopefully they will make it more clear.

View solution in original post

woodcock
Esteemed Legend

That text is AWFUL. What they are trying to say is that if you isolate a value for a field at index time where the value is not prefixed/bounded by major/minor-breakers, you need to tell splunk this by using INDEXED_VALUE=false. This is important because Splunk needs to know that the value for this field is not part of the tsidx/strings list. I submitted dox feedback pointing to this Q&A and hopefully they will make it more clear.

yutaka1005
Builder

Wow, you are right.

By setting INDEXED_VALUE = false, it was possible to search even field that special extraction was done from middle of words.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...