Splunk Search
Highlighted

Why is a search for fields added with _meta in inputs.conf not returning any results?

Path Finder

Hello,

We added several fields with the meta keyword in inputs.conf. When we search for the fields with "field::value" it is working, but when using "field=value" instead, there are no results.
We already added the new fields in fields.conf with "INDEXED=true" and "INDEXED
VALUE = false" options on our Search Heads, or is it needed to adapt the fields.conf settings on the Indexers as well?

Is there anything else to keep in mind?

Thanks,
Rainer

0 Karma
Highlighted

Re: Why is a search for fields added with _meta in inputs.conf not returning any results?

Ultra Champion

This syntax of field::value is for for a tag followed by a field name.

It's interesting whether this tagging relates to your case -
http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Tagthehostfield

0 Karma
Highlighted

Re: Why is a search for fields added with _meta in inputs.conf not returning any results?

SplunkTrust
SplunkTrust

field::value is an old way of searching for fields that currently means "this field is an indexed field, regardless of fields.conf".
The tag search tag::host=foo is entirely unrelated.

Highlighted

Re: Why is a search for fields added with _meta in inputs.conf not returning any results?

SplunkTrust
SplunkTrust

Hi rainerzufall,

if your inputs.conf looks like this:

[monitor::/source_file]
_meta = foo::boo

your fields.conf on the SH and IDX must look like this:

[foo]
INDEXED = true

You then can search for it using this search:

index="IndexNameHere" source="/source_file" foo="boo"

If it still does not work, check the configs using btool if they are applied correct and there is no over writing values happening because of .conf file precedence.

Hope this helps ...

cheers, MuS

PS: You only need to set indexed_value if indexed = false http://docs.splunk.com/Documentation/Splunk/6.4.0/admin/Fieldsconf

View solution in original post

Highlighted

Re: Why is a search for fields added with _meta in inputs.conf not returning any results?

Path Finder

Thanks - I'll add the fields config on the Indexer as well.

0 Karma
Highlighted

Re: Why is a search for fields added with _meta in inputs.conf not returning any results?

Community Manager
Community Manager

Hi @rainerzufall

Glad you got some insight from @MuS 🙂 If his solution answered your question, don't forget to resolve the post by clicking "Accept" directly below his answer. This will make the solution easier to find for other users with the same issue. Thanks!

0 Karma
Highlighted

Re: Why is a search for fields added with _meta in inputs.conf not returning any results?

Path Finder

after applying the fields.conf to the indexer configuration, everything is fine now, even for old events...

0 Karma
Highlighted

Re: Why is a search for fields added with _meta in inputs.conf not returning any results?

Splunk Employee
Splunk Employee

Since 6.6, the fields.conf is applied from the search head's configuration:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Installation/Aboutupgradingto6.6READTHISFIRST#Inde...

If you added it via an app (via a deployer or otherwise),
you will need to export it to "system" if you want the setting to apply outside of the app:

in etc/apps//metadata/default.meta add:
[fields]
export = system

Highlighted

Re: Why is a search for fields added with _meta in inputs.conf not returning any results?

Path Finder

Not only if you deploy the fields.conf in an app but /etc/system/local as well. The field would show up in a search but as soon as you try to search for a specific field value it would return no results. I had to add the export = system if I was deploying it to /etc/system/local

0 Karma