Splunk Search

About "https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/Configureindex-timefieldextraction#Add_an_entry_to_fields.conf_for_the_new_field".

yutaka1005
Builder

There is following description in this manual.

For example, say you're performing a simple <field>::1234 extraction at index time. This could work, but you would have problems if you also implement a search-time field extraction based on a regex like A(\d+)B, where the string A1234B yields a value for that field of 1234. This would turn up events for 1234 at search time that Splunk would be unable to locate at index time with the <field>::1234 extraction.

I don't feel that Splunk is completely a "schema on the fly" in this specification...
Is this specification never modified?

I hope that it will be changed.

0 Karma
1 Solution

woodcock
Esteemed Legend

That text is AWFUL. What they are trying to say is that if you isolate a value for a field at index time where the value is not prefixed/bounded by major/minor-breakers, you need to tell splunk this by using INDEXED_VALUE=false. This is important because Splunk needs to know that the value for this field is not part of the tsidx/strings list. I submitted dox feedback pointing to this Q&A and hopefully they will make it more clear.

View solution in original post

woodcock
Esteemed Legend

That text is AWFUL. What they are trying to say is that if you isolate a value for a field at index time where the value is not prefixed/bounded by major/minor-breakers, you need to tell splunk this by using INDEXED_VALUE=false. This is important because Splunk needs to know that the value for this field is not part of the tsidx/strings list. I submitted dox feedback pointing to this Q&A and hopefully they will make it more clear.

yutaka1005
Builder

Wow, you are right.

By setting INDEXED_VALUE = false, it was possible to search even field that special extraction was done from middle of words.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...