Hello all, I'm new to Splunk, so please bear with me as I ask a really n00bish question.
Is it necessary to define your fields ahead of time?
For example, say I have a collection of attributes that I want to log. Let's say the attributes are arbitrary in number, anywhere from 20 - 40, and I don't know what they will be ahead of time. So, for example, sometimes the key "foo" will be part of the collection, and sometimes it won't be.
The attributes take the form of key/value pairs. What I want to do is write this collection to a log, and then be able to use all of Splunk's standard features to search my logs based on these keys.
From the little that I know about Splunk, I get the feeling that I want these keys to be fields. But if I have to know what these fields are ahead of time, and they have to be present in every log line, that fouls up my whole plan.
And so I ask unto you, oh wise Splunkfolk, what's the best way of going about this?
I guess I could just put the whole collection into one big freetext field, but if I did that, wouldn't I miss out on a bunch of Splunk's best features?
Thanks for the help and patience.
... View more