This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6
A field is any searchable name/value pair. A field is distinguished from the free-form indexed segments of an event in that fields are labeled and can be searched by label. For example, host=foo is a field whose name is host and value is foo. Search on any field name or specific value of a field.
Fields are categorized by how and when they are processed. Configure fields that are created at indexing time (indexed fields) or fields that are created at search time (extracted fields).
Indexed fields are captured in real time as events are processed and indexed by Splunk. Information on where the event came from, what type of event, source type, etc, are extracted by Splunk's input processor. Configure Splunk to index new indexed fields. Indexed fields are useful for creating event type templates.
Extracted fields are created at search time. Splunk picks out obvious name/value pairs in search results, such as user_id or client_ip. This dynamic extracted field list can be used in filters and reports. Configure Splunk to create new extracted fields. Extracted fields cannot be used to create new event types.
Fields extracted at index time have a negative impact on indexing performance. However, they are quicker to return in a search (especially with fields.conf configured correctly). Indexed fields are less flexible, however, and if you want to change fields for your data, your only option is to re-index the entire dataset.
Extracted fields are much more flexible and can be redefined on the fly. They have no negative impact on indexing. However, they do make searches run slower.
If you are not completely sure which option to choose, try extracted fields first. They allow more flexibility, should you make a mistake with your configuration.
Define fields with Splunk's interactive field extraction. Or create fields using props.conf, transforms.conf and fields.conf using the following process. Note: The process for defining new fields is nearly the same for both indexed and extracted fields.
$SPLUNK_HOME/etc/bundles/default/.)
props.conf, specify either the source, source type or host containing the events and assign a name to identify the transform in transforms.conf.
transforms.conf, create the named transform stanza, and supply the regex to extract the field.
fields.conf to set additional processing information. Read more about how to configure fields.conf.
Splunk automatically extracts fields from your data and adds them to the Fields drop-down menu in Splunk Web. Disable this feature via props.conf. You can turn off extracted fields for a specific source, sourcetype or host. Add the attribute/value pair KV_MODE = none for the appropriate [<spec>] in $SPLUNK_HOME/etc/bundles/local/props.conf:
[<spec>] KV_MODE = none
<spec> can be:
Indexed and extracted fields are configured through a combination of props.conf, transforms.conf and fields.conf. Before manually modifying any configuration file, read about configuration files.