How does Field discovery work on Search heads?

I have a Splunk Search head that gets data from a Splunk Server that is indexing IIS logs. When I Query on the Indexing Server, SPlunk Autodiscovers the IIS headers which allows me to query using those headers.

Example: index=iis sc_status="404".

However, the fields aren't autodiscovered on the search head, so the same query doesn't return any results. Does anyone know how to populate the autodiscovered IIS fields on a search head?

asked 02 May '11, 06:40

rnavis
410●3●10
accept rate: 25%

One Answer:

oldest newest most voted

rnavis,

By default Splunk applies a property called "KV_MODE = auto" which will extract keys and values separated by an equal (=) sign. In this case it should extract "sc_status". This would occur when searches are executed from the search head and distributed to the indexers, or the search is executed directly on the indexer.

There are a few things that would disable this:

Setting "KV_MODE = none" on host/source/sourcetype
Field discovery switch is set to off in search view (flashtimeline)

link

answered 02 May '11, 09:45

hazekamp
2.2k●2●18
accept rate: 38%

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

iis ×78
search-head ×77

Asked: 02 May '11, 06:40

Seen: 1,714 times

Last updated: 02 May '11, 09:45

How does Field discovery work on Search heads?

Follow this question

Splunk Resources

Related questions