I am in the process of creating a dedicated index for our JSON data, but I want to get it right. My goal is to allow some very quick searches on just a few of the fields in the JSON messages; the rest can be slower. I'd like to be able to search 6 million entries on particular fields within a few seconds.
During insertion into the index, I set a props.conf entry to do the following to my sourcetype:
[my-source-type]
SEDCMD-StripHeader = s/^[^\{]+(\{.*$)/\1/
KV_MODE=json
Now, I'd like to specify about 6 fields from the JSON out of about 40 for indexing for fast lookups of the events.
What is the best way to do this? Which .conf files? I thought fields.conf might help, but my data is already nicely parsed by Splunk. I don't think indexes.conf would help me here.
↧