I have a search;
host=127.0.0.1 type=* notification_level=Warning device_ip=192.168.0.1
If I add earliest=-12h@h
to the end of the search then it fails, if I remove type=*
then the search works correctly but the field type
isn't extracted at all... I have to explicitly define it in the search for it to show.
The field is a REGEX defined in props/transforms and is referenced in the same way that my custom fields of notification_level
and device_ip
are both done. There is something obviously wonky here but I can't see what or where.
I have already tried the steps in the following URL relating to adding the fields to fields.conf;
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
Draineh,
Try to add the following in $SPLUNK_HOME/etc/system/local/fields.conf
[MyField]
INDEXED_VALUE = false
See here for more:
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
Hope this helps
> please upvote and accept answer if you find it useful - thanks!
I should have mentioned in my question that I have already tried that, I will update it.