New index time fields from a syslog
Hello, small question about index time fields, if I want to create a new field with my logs coming from a syslog (eval function on my cribl), I have to put a fields.conf file on my splunk instance which declares all the new fields I will create from cribl ? example on fields.conf : [my_field] INDEXED=true [my_field2] INDEXED=true Is this the only prerequisite for not having an error during indexing? As for the fields.conf, do you have to put it on the SH and IDX also in a distributed environment?
Answers
-
my goal is to redo what a TA does but in cribl, because I have a problem with the index time when I pass my syslog through cribl, the TA can't extract the fields I want correctly
0 -
So, you can send whatever index time fields you like to Splunk from Cribl, no fields.conf needed
0 -
However, without fields.conf on your SH, you will run in more or less problems during searches using those fields
0 -
So indexing is totally unrelated to fields.conf, but searching is not
0
