Re: Index time extracted field unable to search

ips_mandar · ‎09-04-2019

I am extracting one field at index time from source field using regex and while searching field value sometime I am unable to search field value though In events it is being extracted
and currently in my fields.conf is like below
[ID]
INDEXED = true

I have gone through https://www.splunk.com/blog/2011/10/07/cannot-search-based-on-an-extracted-field.html
which says INDEXED_VALUE = false so if I update field.conf then my stanza will become-

[ID] 
INDEXED = true
INDEXED_VALUE = false

and If I update above then does it will affect on already indexed fields?
and while checking https://docs.splunk.com/Documentation/Splunk/7.3.1/admin/Fieldsconf I see - NOTE: You only need to set indexed_value if indexed = false. but in my case indexed=true is set. please clarify.
Thanks.

mguhad · ‎09-04-2019

Indexed data cannot be ultered, however it is best practice to have a test index to fiddle with until you get it right (use one-shot command too!).

Ideally you dont really need to set the parameter INDEXED_VALUE = false as this alone should be enough:
[ID]
INDEXED = True
It will only effect your indexed fields if you haven't setup the fields.conf parameter (to make them appear on the side panel).

about your issue with searching the fields, I would say, make sure you set your configs BEFORE realeasing the data from your UFs. i.e in a clustered env, push the configs to peers from the master first and THEN ingest the data , that way, the configs are applied to the incoming data correctly.

Hope this helps,
Musa

richgalloway · ‎09-04-2019

Nothing can affect already-indexed fields.

---
If this reply helps you, Karma would be appreciated.

Index time extracted field unable to search

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!