Hello all,
I am indexing database data into Splunk. I am forwarding the data from heavy forwarders to indexers. I have defined host, source, sourcetype and index defined in the DB connect.
Now when I try creating calculated fields in Splunk es search head-on this data, I don't see it working whatsoever. eventtypes and tags work but bot a calculated field. the same calculated field works fine if I run it as a query.
I have defined the calc field based on the source name. I even created a dummy sourcetype with that name but nothing seems to work.
Requesting help in sorting this out.
... View more