Topics

| pdf version

How Splunk Works

Getting Started

Data Inputs

Data Distribution

Indexing

Timestamps

Fields

Hosts

Source Types

Event Types

Search

Distributed Search

Security

Data Management

Deployment Server

Performance Tuning

Configuration Files

Applications

Reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Configure fields.conf

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6

Configure fields.conf

Use fields.conf to configure how Splunk handles user-defined fields at index time.


Configure fields.conf to:


  • Tell Splunk how to handle multi-value fields.
  • Distinguish indexed and extracted fields.
  • Improve search performance by telling the search processor how to handle field values.

Configuration 

[<field name>]
TOKENIZER = $REGEX
INDEXED = True/False
INDEXED_VALUE = True/False

tokenizer

indexed

  • Indicate whether a field is indexed or not.
  • Set to "true" if the field is indexed.

indexed_value

  • Indicate whether the values for a field are in the index.
  • For example, if you search for foo=bar, indexed_value tells search whether the value 'bar' is in the index or not (eg will the values for this field be found in _raw - the raw text of the event).
  • Set indexed_value to true if the value is in the raw text of the event.
  • Set it to false if the value is not in the raw text of the event.

Note: You only need to set indexed_value if indexed = false.

Retrieved from "http://www.splunk.com/base/Documentation/3.2/Admin/ConfigureFieldsconf"
Revision: 207 | Contact | Privacy Policy | Terms of Use | Community content licensed under Creative Commons

Copyright © 2005-2009 Splunk Inc. All rights reserved.