Splunk Search
Highlighted

Checking if the _meta data is actually indexed and used during searches

Path Finder

Hi all,

Our forwarders are adding meta data using inputs.conf

[default]
host = some.host.name
_meta = environment::testing site::somewhere

First question: how can I check if that data is actually correctly stored next to the event? Is there a search command that I could use to show only this metadata.

Second question: how can I check if that meta data is actually used during the search execution?

Thanks,
Pieter

Tags (2)
0 Karma

Re: Checking if the _meta data is actually indexed and used during searches

Explorer

I don't know if anyone still cares as this question was posted long ago but here is the answer:
If you want to use the meta fields in search you have to make them indexed fields.
To do this you need to make a change on the indexer.
In fields.conf add the following:

[environment]
indexed=true
[site]
indexed=true

After that you should be able to use 'environmnt=' in your search. And you should also see those two fields show up in the fields list.