A few weeks ago I downloaded the Trial Splunk Enterprise version and installed the Splunk DB Connect app to output my data to a SQL Server database. It is working but for some reason the custom fields I have created do not get sent to my database yet the default fields do. I tried multiple approaches and I found when I have a search containing a custom field no data will get sent. if I do a search using a default field I will get the expected results but the information from my custom fields will not populate in the DB. However, setting up the search with the custom fields does return results within the DB Connect interface. I am thinking that I need to add something like
[myField]
INDEXED = True
INDEXED_VALUE = False
to the config files but I'm new to Splunk and I'm not sure which one(s) because I can't see which file contains the defaults. Please, any thoughts or suggestions would be much appreciated. Thank you in advance.
... View more