I have read this in a good many places that rather than playing with config files beforehand, it is always better to do it after providing the input and parsing , i.e. - dynamic searching. This may result in addition of fields when we use regex on the log event entries in the index obtained from Splunk.
But making changes with regex for a particular field, then obtaining one of use and then saving it is also not an easy task, especially if you are not good at regex.
Thanks.
... View more