We added several fields with the meta keyword in inputs.conf. When we search for the fields with "field::value" it is working, but when using "field=value" instead, there are no results.
We already added the new fields in fields.conf with "INDEXED=true" and "INDEXEDVALUE = false" options on our Search Heads, or is it needed to adapt the fields.conf settings on the Indexers as well?
Is there anything else to keep in mind?
This syntax of field::value is for for a tag followed by a field name.
It's interesting whether this tagging relates to your case -
field::value is an old way of searching for fields that currently means "this field is an indexed field, regardless of fields.conf".
The tag search
tag::host=foo is entirely unrelated.
inputs.conf looks like this:
[monitor::/source_file] _meta = foo::boo
fields.conf on the SH and IDX must look like this:
[foo] INDEXED = true
You then can search for it using this search:
index="IndexNameHere" source="/source_file" foo="boo"
If it still does not work, check the configs using
btool if they are applied correct and there is no over writing values happening because of
.conf file precedence.
Hope this helps ...
PS: You only need to set
indexed = false http://docs.splunk.com/Documentation/Splunk/6.4.0/admin/Fieldsconf
Glad you got some insight from @MuS 🙂 If his solution answered your question, don't forget to resolve the post by clicking "Accept" directly below his answer. This will make the solution easier to find for other users with the same issue. Thanks!
after applying the fields.conf to the indexer configuration, everything is fine now, even for old events...
Since 6.6, the fields.conf is applied from the search head's configuration:
If you added it via an app (via a deployer or otherwise),
you will need to export it to "system" if you want the setting to apply outside of the app:
in etc/apps//metadata/default.meta add:
export = system
Not only if you deploy the fields.conf in an app but /etc/system/local as well. The field would show up in a search but as soon as you try to search for a specific field value it would return no results. I had to add the export = system if I was deploying it to /etc/system/local