Re: Indexed field is not showing up when I use "="...

paras · ‎08-12-2021

We use cribl for field extraction. `Action` is a field that is being parsed from cribl and it should be a indexed field in splunk.

Did a initial search with the query "index=client* sourcetype=unix_auth"

This returns 6 failure in the last 4 hours.

When I use the search "index=client* sourcetype=unix_auth action=fail*". It returns all 6 failed events.

when I then change the search to "index=client* sourcetype=unix_auth action=failure" It does not return any events.

But when I use the " :: " in the search "index=client* sourcetype=unix_auth action::failure" It returns all the events.

Sample event:

scelikok · ‎08-12-2021

Hi @paras,

You should add your extracted indexed fields into fields.conf on your search heads. Otherwise you can only search using :: notation. Please try below;

fields.conf

[action]
INDEXED=true

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Indexed field is not showing up when I use "=" in the search.

field extraction

fields

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation