You can only apply search-time knowledge to those events.ĭefine additional indexed fields by editing nf, nf, and nf.Įdit these files in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/. Also, you can't change the fields on data that have already been indexed. Adding to this list of fields decreases performance, as each indexed field increases the size of the searchable index. This includes fields such as timestamp, punct, host, source, and sourcetype.
#PORTAL SOURCE UNPACK CUSTOM SKINS SOFTWARE#
Unless absolutely necessary, do not add custom fields to the set of default fields that Splunk software automatically extracts and indexes at index time. If you have not created private apps, contact your Splunk account representative for help with this customization. If you are a Splunk Cloud Platform administrator with experience creating private apps, see Manage private apps in your Splunk Cloud Platform deployment. If you have Splunk Cloud Platform and want to define index-time field extractions, you must create a private app that contains your desired configurations. For example, if you typically search only for foo=1, but 1 occurs in many events that do not have foo=1, you might want to add foo to the list of fields extracted by Splunk at index time.įor more information about creating custom field extractions see About fields in the Knowledge Manager manual.
You also might want to add an indexed field if the value of a search-time extracted field exists outside of the field more often than not. This can happen, for example, if you typically search a large event set with expressions like foo!=bar or NOT foo=bar, and the field foo nearly always takes on the value bar. However, there are times when you might need to add to the set of custom indexed fields that are applied to your events at index time.įor example, you might have certain search-time field extractions that noticeably impact search performance. In general, you should try to extract your fields at search time.
0 kommentar(er)
