Re: How can I determine which fields will work wit...

campbellwarren · ‎01-04-2019

I understand that tstats will only work with indexed fields, not extracted fields. How can I determine which fields are indexed? For example, in my IIS logs, some entries have a "uid" field, others do not. Tstats does not work with uid, so I assume it is not indexed. But I would like to be able to create a list. Is there some way to determine which fields tstats will work for and which it will not?

Also, is there a way to add a field to the index (like by editing a .conf file?)?

Thanks in advance for your help!

somesoni2 · ‎01-04-2019

For your first question, see this
https://answers.splunk.com/answers/339034/is-there-a-way-to-know-which-fields-were-extracted.html

To create indexed field, see this
https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Configureindex-timefieldextraction

mattymo · ‎01-05-2019

great answer by lowell in that first link, and definitely worth reading the indexed extractions docs through.

The search syntax field::value is a great quick check, but playing with walklex is definitely worth the time, and gets my vote, as it is the ultimate source of truth and will be a great trick to add to your Splunk Ninja arsenal!

More on it, and other cool debug tools here:

https://docs.splunk.com/Documentation/Splunk/7.2.3/Troubleshooting/CommandlinetoolsforusewithSupport...

also, for extra homework ;), check out @martin_mueller and his amazing talk on fields and tokens:

https://conf.splunk.com/files/2017/recordings/fields-indexed-tokens-and-you.mp4

https://conf.splunk.com/files/2017/slides/fields-indexed-tokens-and-you.pdf

- MattyMo

How can I determine which fields will work with tstats?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life