Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

New metadata field for all events coming via UF for custom application

Charlize
Engager
‎05-01-2025 11:44 PM

Added the config for the new metadata field in the inputs.conf file and created a fields.conf file to set the field as indexed=true. Still the field is not showing up on SH. This is done for the cloud envi

inputs.conf
[monitor://D:\Splunk\abc\*.csv]

disabled = false
index = index_abc
sourcetype = src_abc
_meta = id::123
 
fields.conf
[id]
INDEXED=true
Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-02-2025 12:00 AM

Adding to valid @livehybrid points, you should set INDEXED_VALUE=false. It has nothing to do with the issue at hand but without it you won't be able to search for id=123 if then"123" string isn't contained within the raw event.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎05-01-2025 11:46 PM

Hi @Charlize 

Just to check, did you deploy the fields.conf to your cloud environment, not the UF?

Also, are you able to search the field with tstats, such as
| tstats count where index=index_abc by id

 

 

🌟Did this answer help you? If so, please consider:

    • Adding karma to show it was useful
    • Marking it as the solution if it resolved your issue
    • Commenting if you need any clarificatiob

Your feedback encourages the volunteers in this community to continue contributing.

Reply

Charlize
Engager
‎05-02-2025 01:37 AM

| tstats count where index=index_abc by id   

There are no results for this query. But events are there in the index.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-02-2025 03:57 AM

1. Again - where did you put the fields.conf? (but this shouldn't affect tstats)

2. Do you have any other _meta definitions on your UF. Did you verify the effective config with btool?

3. Try 

| walklex index=index_abc type=field

over a longer time span and see if you get your id  as one of the results.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...