I am extracting one field at index time from source field using regex and while searching field value sometime I am unable to search field value though In events it is being extracted
and currently in my fields.conf is like below
[ID]
INDEXED = true
I have gone through https://www.splunk.com/blog/2011/10/07/cannot-search-based-on-an-extracted-field.html
which says `INDEXED_VALUE = false` so if I update field.conf then my stanza will become-
[ID]
INDEXED = true
INDEXED_VALUE = false
and If I update above then does it will affect on already indexed fields?
and while checking https://docs.splunk.com/Documentation/Splunk/7.3.1/admin/Fieldsconf I see - `NOTE: You only need to set indexed_value if indexed = false.` but in my case indexed=true is set. please clarify.
Thanks.
↧