Solved: Search gives no hits for my _meta added fields

ahattrell_splun · ‎04-27-2012

When adding an _meta entry into inputs.conf such as:

[monitor:///tmp/fwdtest]
sourcetype = sun_jvm
_meta env::prd

Whilst the field will show up when inspecting events, a search for env=prd does not return any results.

Searching for env::prd does return results as expected - though this is a deprecated approach.

ahattrell_splun · ‎04-27-2012

This can be solved by creating a appropriate entry in fields.conf on the indexer.

I used the following stansa:

[env]
INDEXED=true

tpaulsen · ‎03-05-2013

Can the value of the _meta entry be from another file?

yannK · ‎03-24-2015

the equal sign was not displayed in the post
_meta = env::prd

ahattrell_splun · ‎04-27-2012

This can be solved by creating a appropriate entry in fields.conf on the indexer.

I used the following stansa:

[env]
INDEXED=true

cramasta · ‎09-03-2015

Are you sure this has to be on the indexer and not the search head? I just tested putting this only on the search head and it looks to be working.

[newfieldname]
INDEXED = True
INDEXED_VALUE = False

Search gives no hits for my _meta added fields