Configure fields.conf

Configure fields.conf

Use fields.conf to configure how Splunk handles user-defined fields at index time and search time. Edit fields.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.

Configure fields.conf to:

• Tell Splunk how to handle multi-value fields.
• Distinguish indexed and extracted fields.
• Improve search performance by telling the search processor how to handle field values.

Configuration

[<field name>]
TOKENIZER = <regex>
INDEXED = true | false
INDEXED_VALUE = true | false

[<field name>]

• Name of the field you're configuring.
• Follow this stanza name with any number of the following attribute/value pairs.

TOKENIZER = <regular expression>

• A regular expression that indicates how the field can take on multiple values at the same time.
  • Use this setting to configure multi-value fields.
• If empty, the field can only take on a single value.
• Otherwise, the first group is taken from each match to form the set of values.
• This setting is used by search/where (the search command), the summary and XML outputs of the asynchronous search API, and by the top, timeline and stats commands.
• Default to empty.

INDEXED = true | false

• Indicate whether a field is indexed or not.
• Set to true if the field is indexed.
• Set to false for fields extracted at search time (the majority of fields).
• Defaults to false.

INDEXED_VALUE = true | false

• Set indexed_value to true if the value is in the raw text of the event.
• Set it to false if the value is not in the raw text of the event.
• Setting this to true expands any search for key=value into a search of value AND key=value (since value is indexed).
• Defaults to true.
• Note: You only need to set indexed_value if indexed = false.