Hello, small question about index time fields, if I want to create a new field with my logs coming from a syslog (eval function on my cribl), I have to put a fields.conf file on my splunk instance which declares all the new fields I will create from cribl ?example on fields.conf :[my_field]INDEXED=true[my_field2]INDEXED=trueIs this the only prerequisite for not having an error during indexing? As for the fields.conf, do you have to put it on the SH and IDX also in a distributed environment?
Page 1 / 1
my goal is to redo what a TA does but in cribl, because I have a problem with the index time when I pass my syslog through cribl, the TA can't extract the fields I want correctly
So, you can send whatever index time fields you like to Splunk from Cribl, no fields.conf needed
However, without fields.conf on your SH, you will run in more or less problems during searches using those fields
So indexing is totally unrelated to fields.conf, but searching is not
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.