Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search
Splunk Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Search
Search the Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
3,000 results
Sorted by:
11-07-2012
03:37 PM
1 Karma
...onfiguration syntax to set up fields.conf with the same regex and number of fields.
^(? [^ ]+)\s[^ ]+\,[0-9]+ \[(? [^ ]+)\] New documents[ ]+: (? [^a-zA-Z._]*) \<[0-9 ]+ \((? [^ ]+)\)\> *DATASOURCE.(? ....
- Tags:
- field-extraction
08-01-2010
07:47 PM
2 Karma
...ac_addr
Setting fields.conf as follows:
[mac_addr]
INDEXED = false
INDEXED_VALUE = false
While using a TOKENIZER of ([^,]\*) doesn't change the behavior of a basic search, like "*" ....
02-28-2018
02:11 AM
...riting it inline none of it is working. Used fields.conf:
[allowed_ip]
TOKENIZER=([^\,]+)
Also tried to implement it in props.conf and transforms.conf:
props.conf
[abc:pce:metadata]
E...
04-20-2010
12:49 PM
3 Karma
I'm running a search based on a field extracted at search time using props.conf.
I've noticed that if I don't have a fields.conf, my search works fine. Instead if I create a fields.conf and I s...
Show results in replies (3)
-
You should not be setting anything in fields.conf for search-time extracted fields. Setting I...
-
...nstance::pango is indexed.) Since your fields are created via search-time extractions, this setting i...
-
This is technically more of a comment than an answer (both jrodman and gkanapathy covered the topic...
03-10-2021
11:04 PM
Hi, There is the description for INDEXED_VALUE in fields.conf INDEXED_VALUE = [true|false|<sed-cmd>|<simple-substitution-string>]
* Set this to true if the value is in the raw t...
Labels
- Labels:
-
administration
-
configuration
06-08-2016
02:21 PM
I was wondering if it's possible to extract an mv field, from an already extracted field, using fields.conf?
For example:
I have a series of data
ANSWER SECTION:
Offset = 0x0016, RR c...
04-30-2015
07:00 AM
...o ./etc/system/local/fields.conf :
[field_a]
TOKENIZER = ([^\|]+)
[field_b]
TOKENIZER = ([^\|]+)
The only problem is that above approach seems to have global effect across all indexes and a...
10-17-2017
02:57 AM
...vents, but its not parsing the field that I wanted,
so I used rex to get the field parsed and this worked, bu then I couldn't do any searches on the field, because I need to adjust fields.conf or s...
11-21-2018
11:38 PM
I have got a question about using _meta fields in the /opt/splunkforwarder/etc/system/local/inputs.conf
of a Splunk Universal Forwarder (deployed on an AWS EC2 Instance)
In our inputs.conf of t...
Show results in replies (3)
-
...verride of the fields.conf setting. This tags all your events and make them searchable by defining "a...
-
Hi Skalli Great, I will instruct our tooling team to change the fields.conf on the Search Head....
-
...ield definition in the /opt/splunkforwarder/etc/system/local/inputs.conf overrides the fields.conf d...
04-11-2016
07:24 AM
Hello,
We added several fields with the _meta keyword in inputs.conf. When we search for the fields with "field::value" it is working, but when using "field=value" instead, there are no results....
Show results in replies (5)
-
...oo::boo your fields.conf on the SH and IDX must look like this: [foo] INDEXED = true Y...
-
after applying the fields.conf to the indexer configuration, everything is fine now, even for old e...
-
...ndexed field, regardless of fields.conf". The tag search tag::host=foo is entirely unrelated.
-
Not only if you deploy the fields.conf in an app but /etc/system/local as well. The field would s...
-
Since 6.6, the fields.conf is applied from the search head's configuration: http://docs.splunk...
