The following are the spec and example files for fields.conf.
# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved. Version 4.3 # # This file contains possible attribute and value pairs for: # * Telling Splunk how to handle multi-value fields. # * Distinguishing indexed and extracted fields. # * Improving search performance by telling the search processor how to handle field values. # Use this file if you are creating a field at index time (not advised). # # There is a fields.conf in $SPLUNK_HOME/etc/system/default/. To set custom configurations, # place a fields.conf in $SPLUNK_HOME/etc/system/local/. For examples, see fields.conf.example. # You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the documentation # located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles [<field name>] * Name of the field you're configuring. * Follow this stanza name with any number of the following attribute/value pairs. * Field names can only contain a-z, A-Z, 0-9, and _, but cannot begin with a number or _ # TOKENIZER indicates that your configured field's value is a smaller part of a token. # For example, your field's value is "123" but it occurs as "foo123" in your event. TOKENIZER = <regular expression> * Use this setting to configure multivalue fields (refer to the online documentation for multivalue fields). * A regular expression that indicates how the field can take on multiple values at the same time. * If empty, the field can only take on a single value. * Otherwise, the first group is taken from each match to form the set of values. * This setting is used by the "search" and "where" commands, the summary and XML outputs of the asynchronous search API, and by the top, timeline and stats commands. * Tokenization of indexed fields (INDEXED = true) is not supported so this attribute is ignored for indexed fields. * Default to empty. INDEXED = [true|false] * Indicate whether a field is indexed or not. * Set to true if the field is indexed. * Set to false for fields extracted at search time (the majority of fields). * Defaults to false. INDEXED_VALUE = [true|false] * Set this to true if the value is in the raw text of the event. * Set this to false if the value is not in the raw text of the event. * Setting this to true expands any search for key=value into a search of value AND key=value (since value is indexed). * Defaults to true. * NOTE: You only need to set indexed_value if indexed = false.
# Copyright (C) 2005-2011 Splunk Inc. All Rights Reserved. Version 4.3 # # This file contains an example fields.conf. Use this file to configure dynamic field extractions. # # To use one or more of these configurations, copy the configuration block into # fields.conf in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to # enable configurations. # # To learn more about configuration files (including precedence) please see the documentation # located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles # # The following example can be used with the IMAP bundle (found here: # http://www.splunkbase.com/addons/All/Technologies/Mail/addon:IMAP+Addon .) # These tokenizers result in the values of To, From and Cc treated as a list, # where each list element is an email address found in the raw string of data. [To] TOKENIZER = (\w[\w\.\-]*@[\w\.\-]*\w) [From] TOKENIZER = (\w[\w\.\-]*@[\w\.\-]*\w) [Cc] TOKENIZER = (\w[\w\.\-]*@[\w\.\-]*\w)
This documentation applies to the following versions of Splunk® Enterprise: 4.3