Im back in 2021 🙂 The "considerations around how SPL is crafted" I alluded to means you either need to search using indexed field syntax, like k8s.cluster.name::foo or you need to configure fields.conf with your indexed fields as described in docs https://docs.splunk.com/Documentation/Splunk/8.2.4/Data/Configureindex-timefieldextraction#Where_to_put_the_configuration_changes_in_a_distributed_environment Or finally, as we currently do in Cloud, presumably as a tradeoff for customer experience vs performance worries... always_include_indexedfield_lispy = <boolean>
* Whether or not search always looks for a field that does not have
"INDEXED = true" set in fields.conf using both the indexed and non-
indexed forms.
* If set to "true", when searching for <field>=<value>, the lexicon is
searched for both "<field>::<value>" and "<value>".
* If set to "false", when searching for <field>=<val>, the lexicon is
searched only for "<value>".
* Set to "true" if you have fields that are sometimes indexed and
sometimes not indexed.
* For field names that are always indexed, it is much better
for performance to set "INDEXED = true" in fields.conf for
that field instead.
* Default: false https://docs.splunk.com/Documentation/Splunk/8.2.4/Admin/Limitsconf#:~:text=always_include_indexedfield_lispy%20%3D%20%3Cboolean%3E%0A*%20Whether,instead.%0A*%20Default%3A%20false As always, being lazy is fun, but will cost perf. Setting the fields.conf is definitely preferable, especially when the fields don't change very much and just take a little bit of up front work/planning. choose your weapon wisely, friends...
... View more