Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to index a file without extracting fields?

leunammejii
New Member
‎03-27-2017 09:48 AM

I'm trying to index a file but I don't want Splunk to try to extract interesting fields. Or if it does, I want the field to be the entire contents of the file called 'contents'. Is this possible?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎03-27-2017 10:21 AM

Fields are extracted on the search head which push out knowledge bundles to the indexers when you search

To test this, do a search in Fast Mode and notice how it does not enable field discovery which means your fields are not available.. Then do a search in Smart or Verbose mode and notice your fields are available

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎03-27-2017 10:21 AM

Fields are extracted on the search head which push out knowledge bundles to the indexers when you search

To test this, do a search in Fast Mode and notice how it does not enable field discovery which means your fields are not available.. Then do a search in Smart or Verbose mode and notice your fields are available

0 Karma
Reply
Solved! Jump to solution

leunammejii
New Member
‎03-27-2017 10:25 AM

Maybe I'm understanding indexing wrong. Are these fields are not indexed when I switch to verbose mode?

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎03-27-2017 11:29 AM

You technically can extract fields at index time, but its not recommended to do so for performance issues. Fields are extracted at search time by the search head, hence why the fields are available depending on which search mode you use.

You only index the data once which is when it goes from your forwarder to the indexer. The data is available to be searched on the indexer, but fields will be available because they are defined on the SH which push knowledge bundles to the indexers when the indexers begin to search the data

Remember that indexers are responsible for indexing AND searching the data

0 Karma
Reply
Solved! Jump to solution

leunammejii
New Member
‎03-27-2017 11:37 AM

It all makes sense now. Thanks for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...