Hello, small question about index time fields, if I want to create a new field with my logs coming from a syslog (eval function on my cribl), I have to put a fields.conf file on my splunk instance which declares all the new fields I will create from cribl ?example on fields.conf :[my_field]INDEXED=true[my_field2]INDEXED=trueIs this the only prerequisite for not having an error during indexing? As for the fields.conf, do you have to put it on the SH and IDX also in a distributed environment?
Question
New index time fields from a syslog
my goal is to redo what a TA does but in cribl, because I have a problem with the index time when I pass my syslog through cribl, the TA can't extract the fields I want correctly
However, without fields.conf on your SH, you will run in more or less problems during searches using those fields
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.