I try to get a new internal field "_application" added to certain events.
So i added a new field via the _meta to the inputs.conf on the forwarder.
[script:///opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/df_metric.sh] sourcetype = df_metric source = df interval = 300 disabled = 0 index = server_nixeventlog _meta = _application::<application_name>
I also added a new stanza to the fields.conf
[_application] INDEXED = false #* Set to "true" if the field is created at index time. #* Set to "false" for fields extracted at search time. This accounts for the # majority of fields. INDEXED_VALUE = false #* Set to "true" if the value is in the raw text of the event. #* Set to "false" if the value is not in the raw text of the event#.
The fields.conf is deployed to indexer and SH.
But i still do not see the event.
I tried searching for
Can somebody explain to me where is the Problem?
If you want to have a metadata field "external" to the event itself you must create an indexed field since the field value is not in any way contained within the event itself.
But your INDEXED=false setting says that splunk shouldn't treat the field as indexed.
Another question is whether you really do need the external field. Isn't the information contained within the event itself? There are use cases when indexed fields can be useful but they are rare and quite often indexed fields are a wrong way of resolving you problem 😉
thanks for replaying so quick.
yeah i do not want it to be a indextime field.
No the information unfortunately is not statically in the event itself.
I now found out that Splunk Permits unsinnig leading underscore fields so i think i found a dead end here and have to finde another solution.
If you can devise your application field from other field(s) - for example some set of host values corresponds with application A and other set is app B, you could try using lookups or eventtypes to calculate it in search-time.