Splunk Search

Why is a search for fields added with _meta in inputs.conf not returning any results?

rainerzufall
Path Finder

Hello,

We added several fields with the _meta keyword in inputs.conf. When we search for the fields with "field::value" it is working, but when using "field=value" instead, there are no results.
We already added the new fields in fields.conf with "INDEXED=true" and "INDEXED_VALUE = false" options on our Search Heads, or is it needed to adapt the fields.conf settings on the Indexers as well?

Is there anything else to keep in mind?

Thanks,
Rainer

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi rainerzufall,

if your inputs.conf looks like this:

[monitor::/source_file]
_meta = foo::boo

your fields.conf on the SH and IDX must look like this:

[foo]
INDEXED = true

You then can search for it using this search:

index="IndexNameHere" source="/source_file" foo="boo"

If it still does not work, check the configs using btool if they are applied correct and there is no over writing values happening because of .conf file precedence.

Hope this helps ...

cheers, MuS

PS: You only need to set indexed_value if indexed = false http://docs.splunk.com/Documentation/Splunk/6.4.0/admin/Fieldsconf

View solution in original post

mhoogcarspel_sp
Splunk Employee
Splunk Employee

Since 6.6, the fields.conf is applied from the search head's configuration:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Installation/Aboutupgradingto6.6READTHISFIRST#Inde...

If you added it via an app (via a deployer or otherwise),
you will need to export it to "system" if you want the setting to apply outside of the app:

in etc/apps//metadata/default.meta add:
[fields]
export = system

matthewssa
Path Finder

Not only if you deploy the fields.conf in an app but /etc/system/local as well. The field would show up in a search but as soon as you try to search for a specific field value it would return no results. I had to add the export = system if I was deploying it to /etc/system/local

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi rainerzufall,

if your inputs.conf looks like this:

[monitor::/source_file]
_meta = foo::boo

your fields.conf on the SH and IDX must look like this:

[foo]
INDEXED = true

You then can search for it using this search:

index="IndexNameHere" source="/source_file" foo="boo"

If it still does not work, check the configs using btool if they are applied correct and there is no over writing values happening because of .conf file precedence.

Hope this helps ...

cheers, MuS

PS: You only need to set indexed_value if indexed = false http://docs.splunk.com/Documentation/Splunk/6.4.0/admin/Fieldsconf

rainerzufall
Path Finder

Thanks - I'll add the fields config on the Indexer as well.

0 Karma

ppablo
Retired

Hi @rainerzufall

Glad you got some insight from @MuS 🙂 If his solution answered your question, don't forget to resolve the post by clicking "Accept" directly below his answer. This will make the solution easier to find for other users with the same issue. Thanks!

0 Karma

rainerzufall
Path Finder

after applying the fields.conf to the indexer configuration, everything is fine now, even for old events...

0 Karma

ddrillic
Ultra Champion

This syntax of field::value is for for a tag followed by a field name.

It's interesting whether this tagging relates to your case -
http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Tagthehostfield

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

field::value is an old way of searching for fields that currently means "this field is an indexed field, regardless of fields.conf".
The tag search tag::host=foo is entirely unrelated.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...