Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Adding a new indexed meta field to inputs.conf not showing up in fastmode

brent_weaver
Builder
‎08-19-2019 07:18 AM

We see it in smart mode but not in fast mode. What are we missing and where does this get defined?

0 Karma
Reply

Sukisen1981
Champion
‎08-19-2019 07:31 AM

if you can see it in both search and verbose mode, then one check that I suggest in do you know for sure that the custom meta field (i am assuming this is indexed filed and not a default field) occurs for greater than 20% of the events? To test you can change your inputs.conf and slightly re-configure the meta field to have it display for all fields like for source or sourcetype.

0 Karma
Reply

Sukisen1981
Champion
‎08-19-2019 07:32 AM

@brent_weaver
https://docs.splunk.com/Documentation/SplunkCloud/7.0.3/Knowledge/Aboutfields

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...