Configure fields.conf

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Configuration

Configure fields.conf

Use fields.conf to configure how Splunk handles user-defined fields at index time.

Configure fields.conf to:

Tell Splunk how to handle multi-value fields.
Distinguish indexed and extracted fields.
Improve search performance by telling the search processor how to handle field values.

Configuration

[<field name>]
TOKENIZER = $REGEX
INDEXED = True/False
INDEXED_VALUE = True/False

tokenizer

Use tokenizer to configure multi-value fields.

indexed

Indicate whether a field is indexed or not.
Set to "true" if the field is indexed.

indexed_value

Indicate whether the values for a field are in the index.
For example, if you search for foo=bar, indexed_value tells search whether the value 'bar' is in the index or not (eg will the values for this field be found in _raw - the raw text of the event).
Set indexed_value to true if the value is in the raw text of the event.
Set it to false if the value is not in the raw text of the event.

Note: You only need to set indexed_value if indexed = false.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.2.6/Admin/ConfigureFieldsconf"

« Field actions Configure multi-value fields »

This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.

Was this topic useful?
Post a comment

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Admin Manual

Configure fields.conf

Contents

Configure fields.conf

Configuration

Comments