Hello,
We added several fields with the _meta keyword in inputs.conf. When we search for the fields with "field::value" it is working, but when using "field=value" instead, there are no results.
We already added the new fields in fields.conf with "INDEXED=true" and "INDEXED_VALUE = false" options on our Search Heads, or is it needed to adapt the fields.conf settings on the Indexers as well?
Is there anything else to keep in mind?
Thanks,
Rainer
Hi rainerzufall,
if your inputs.conf
looks like this:
[monitor::/source_file]
_meta = foo::boo
your fields.conf
on the SH and IDX must look like this:
[foo]
INDEXED = true
You then can search for it using this search:
index="IndexNameHere" source="/source_file" foo="boo"
If it still does not work, check the configs using btool
if they are applied correct and there is no over writing values happening because of .conf
file precedence.
Hope this helps ...
cheers, MuS
PS: You only need to set indexed_value
if indexed = false
http://docs.splunk.com/Documentation/Splunk/6.4.0/admin/Fieldsconf
Since 6.6, the fields.conf is applied from the search head's configuration:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Installation/Aboutupgradingto6.6READTHISFIRST#Inde...
If you added it via an app (via a deployer or otherwise),
you will need to export it to "system" if you want the setting to apply outside of the app:
in etc/apps//metadata/default.meta add:
[fields]
export = system
Not only if you deploy the fields.conf in an app but /etc/system/local as well. The field would show up in a search but as soon as you try to search for a specific field value it would return no results. I had to add the export = system if I was deploying it to /etc/system/local
Hi rainerzufall,
if your inputs.conf
looks like this:
[monitor::/source_file]
_meta = foo::boo
your fields.conf
on the SH and IDX must look like this:
[foo]
INDEXED = true
You then can search for it using this search:
index="IndexNameHere" source="/source_file" foo="boo"
If it still does not work, check the configs using btool
if they are applied correct and there is no over writing values happening because of .conf
file precedence.
Hope this helps ...
cheers, MuS
PS: You only need to set indexed_value
if indexed = false
http://docs.splunk.com/Documentation/Splunk/6.4.0/admin/Fieldsconf
Thanks - I'll add the fields config on the Indexer as well.
Hi @rainerzufall
Glad you got some insight from @MuS 🙂 If his solution answered your question, don't forget to resolve the post by clicking "Accept" directly below his answer. This will make the solution easier to find for other users with the same issue. Thanks!
after applying the fields.conf to the indexer configuration, everything is fine now, even for old events...
This syntax of field::value is for for a tag followed by a field name.
It's interesting whether this tagging relates to your case -
http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Tagthehostfield
field::value
is an old way of searching for fields that currently means "this field is an indexed field, regardless of fields.conf".
The tag search tag::host=foo
is entirely unrelated.