I understand that tstats will only work with indexed fields, not extracted fields. How can I determine which fields are indexed? For example, in my IIS logs, some entries have a "uid" field, others do not. Tstats does not work with uid, so I assume it is not indexed. But I would like to be able to create a list. Is there some way to determine which fields tstats will work for and which it will not?
Also, is there a way to add a field to the index (like by editing a .conf file?)?
Thanks in advance for your help!
For your first question, see this
https://answers.splunk.com/answers/339034/is-there-a-way-to-know-which-fields-were-extracted.html
To create indexed field, see this
https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Configureindex-timefieldextraction
great answer by lowell in that first link, and definitely worth reading the indexed extractions docs through.
The search syntax field::value
is a great quick check, but playing with walklex
is definitely worth the time, and gets my vote, as it is the ultimate source of truth and will be a great trick to add to your Splunk Ninja arsenal!
More on it, and other cool debug tools here:
also, for extra homework ;), check out @martin_mueller and his amazing talk on fields and tokens:
https://conf.splunk.com/files/2017/recordings/fields-indexed-tokens-and-you.mp4
https://conf.splunk.com/files/2017/slides/fields-indexed-tokens-and-you.pdf