We need to add to fields.conf any indexed fields we create, or else they will not be searched efficiently, or may even not function at all. For our examples in the transforms.conf section, fields.conf would look like this:
[session_type] INDEXED = true [session] INDEXED = true [host_owner] INDEXED = true [host_type] INDEXED = true [slow_request] INDEXED = true [loglevel] INDEXED = true
These stanzas instruct Splunk not to look in the body of the events for the value being queried. Take, for instance, the following search:
host_owner=vlb
Without this entry, the actual query would essentially be:
vlb | search host_owner=vlb
With the expectation that the value vlb is in the body of the event, this query simply won't work. Adding ...