Index time extracted field unable to search

ips_mandar · ‎09-04-2019

I am extracting one field at index time from source field using regex and while searching field value sometime I am unable to search field value though In events it is being extracted
and currently in my fields.conf is like below
[ID]
INDEXED = true

I have gone through https://www.splunk.com/blog/2011/10/07/cannot-search-based-on-an-extracted-field.html
which says INDEXED_VALUE = false so if I update field.conf then my stanza will become-

[ID] 
INDEXED = true
INDEXED_VALUE = false

and If I update above then does it will affect on already indexed fields?
and while checking https://docs.splunk.com/Documentation/Splunk/7.3.1/admin/Fieldsconf I see - NOTE: You only need to set indexed_value if indexed = false. but in my case indexed=true is set. please clarify.
Thanks.

mguhad · ‎09-04-2019

Indexed data cannot be ultered, however it is best practice to have a test index to fiddle with until you get it right (use one-shot command too!).

Ideally you dont really need to set the parameter INDEXED_VALUE = false as this alone should be enough:
[ID]
INDEXED = True
It will only effect your indexed fields if you haven't setup the fields.conf parameter (to make them appear on the side panel).

about your issue with searching the fields, I would say, make sure you set your configs BEFORE realeasing the data from your UFs. i.e in a clustered env, push the configs to peers from the master first and THEN ingest the data , that way, the configs are applied to the incoming data correctly.

Hope this helps,
Musa

richgalloway · ‎09-04-2019

Nothing can affect already-indexed fields.

---
If this reply helps you, Karma would be appreciated.

Index time extracted field unable to search

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms