Indexed field is not showing up when I use "=" in ...

paras · ‎08-12-2021

We use cribl for field extraction. `Action` is a field that is being parsed from cribl and it should be a indexed field in splunk.

Did a initial search with the query "index=client* sourcetype=unix_auth"

This returns 6 failure in the last 4 hours.

When I use the search "index=client* sourcetype=unix_auth action=fail*". It returns all 6 failed events.

when I then change the search to "index=client* sourcetype=unix_auth action=failure" It does not return any events.

But when I use the " :: " in the search "index=client* sourcetype=unix_auth action::failure" It returns all the events.

Sample event:

scelikok · ‎08-12-2021

Hi @paras,

You should add your extracted indexed fields into fields.conf on your search heads. Otherwise you can only search using :: notation. Please try below;

fields.conf

[action]
INDEXED=true

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Indexed field is not showing up when I use "=" in the search.

field extraction

fields

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation