zar3bski
Reputation: 3171
Splunk queries: filter by _meta fields
Context
I have a bunch of application servers I would like monitor using Splunk. Servers on every environment run the same applications. Looking for a way to tag this information in order to easily disentangle stage servers from prod server in my dashboards, I came across this trick while reading forums.
inputs.conf of forwarders on production machines
[default]
_meta = env::prod
inputs.conf of forwarders on stage machines
[default]
_meta = env::stage
With this trick, I end up with a env field in my parsed data.
index=* | stats count by env
| env | count |
|:------:|:-----:|
| stage |2415686|
| prod |55677 |
Issue
I can't filter on env
index=* logLevel="ERROR" projectName != "null" env="prod" | stats count(_raw) by projectName
Why is that so?
Upvotes: 3
Views: 600
Answers (1)
zar3bski
Reputation: 3171
Ok, in my case, env was merely a tag (which are not indexed by default). In order to index them, you need to explicitly ask for it in fields.conf
[env]
INDEXED = true
Upvotes: 2
Related Questions
- Multifields search in Splunk without knowing field names
- Splunk query with conditions of an object
- splunk query to extract multiple fields from single field
- Splunk search query syntax?
- Splunk conditional search
- Splunk Streamlined search for specific fields only
- Searching for a particular kind of field in Splunk
- Adding custom fields to splunk query
- Extracting certain fields from Splunk query results
- Splunk query to filter results