Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

About "https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Configureindex-timefieldextraction#Add_an_entry_to_fields.conf_for_the_new_field".

yutaka1005
Builder
‎02-18-2019 02:36 AM

There is following description in this manual.

For example, say you're performing a simple <field>::1234 extraction at index time. This could work, but you would have problems if you also implement a search-time field extraction based on a regex like A(\d+)B, where the string A1234B yields a value for that field of 1234. This would turn up events for 1234 at search time that Splunk would be unable to locate at index time with the <field>::1234 extraction.

I don't feel that Splunk is completely a "schema on the fly" in this specification...
Is this specification never modified?

I hope that it will be changed.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-06-2019 08:17 PM

That text is AWFUL. What they are trying to say is that if you isolate a value for a field at index time where the value is not prefixed/bounded by major/minor-breakers, you need to tell splunk this by using INDEXED_VALUE=false. This is important because Splunk needs to know that the value for this field is not part of the tsidx/strings list. I submitted dox feedback pointing to this Q&A and hopefully they will make it more clear.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-06-2019 08:17 PM

That text is AWFUL. What they are trying to say is that if you isolate a value for a field at index time where the value is not prefixed/bounded by major/minor-breakers, you need to tell splunk this by using INDEXED_VALUE=false. This is important because Splunk needs to know that the value for this field is not part of the tsidx/strings list. I submitted dox feedback pointing to this Q&A and hopefully they will make it more clear.

Reply
Solved! Jump to solution

yutaka1005
Builder
‎03-06-2019 10:22 PM

Wow, you are right.

By setting INDEXED_VALUE = false, it was possible to search even field that special extraction was done from middle of words.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...