Splunk_Docker/files/splunkbeta/etc/system/default/fields.conf

#   Version 9.2.2.20240415
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local  
# (See "Configuration file precedence" in the web documentation).
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
#
# This file contains possible attribute and value pairs for creating
# dynamic field extractions.
#

TOKENIZER = 
INDEXED = False
INDEXED_VALUE = True

[source]
INDEXED = True
INDEXED_VALUE = False

[index]
INDEXED = True
INDEXED_VALUE = False

[sourcetype]
INDEXED = True
INDEXED_VALUE = False

[_sourcetype]
INDEXED = True
INDEXED_VALUE = False

[_indextime]
INDEXED = True
INDEXED_VALUE = False

[host]
INDEXED = True
INDEXED_VALUE = False

[linecount]
INDEXED = True
INDEXED_VALUE = False

[punct]
INDEXED = True
INDEXED_VALUE = False

[evtlog_id]
INDEXED = True
INDEXED_VALUE = False

[evtlog_category]
INDEXED = True
INDEXED_VALUE = False

[evtlog_severity]
INDEXED = True
INDEXED_VALUE = False

[evtlog_account]
INDEXED = True
INDEXED_VALUE = False

[evtlog_domain]
INDEXED = True
INDEXED_VALUE = False

[evtlog_sid]
INDEXED = True
INDEXED_VALUE = False

[evtlog_sid_type]
INDEXED = True
INDEXED_VALUE = False

[date_year]
INDEXED = True
INDEXED_VALUE = False

[date_month]
INDEXED = True
INDEXED_VALUE = False

[date_mday]
INDEXED = True
INDEXED_VALUE = False

[date_wday]
INDEXED = True
INDEXED_VALUE = False

[date_hour]
INDEXED = True
INDEXED_VALUE = False

[date_minute]
INDEXED = True
INDEXED_VALUE = False

[date_second]
INDEXED = True
INDEXED_VALUE = False

[date_zone]
INDEXED = True
INDEXED_VALUE = False

[timeendpos]
INDEXED = True
INDEXED_VALUE = False

[timestartpos]
INDEXED = True
INDEXED_VALUE = False

[splunk_server]
INDEXED = True
INDEXED_VALUE = False

[splunk_server_group]
INDEXED = True
INDEXED_VALUE = False

[splunk_federated_provider]
INDEXED = True
INDEXED_VALUE = False

#[To]
#TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w)

#[From]
#TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w)

#[Cc]
#TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w)

[sourcetype::splunk_resource_usage::data*]
INDEXED = True
Inital Commit 7 months ago			`# Version 9.2.2.20240415`
			`# DO NOT EDIT THIS FILE!`
			`# Changes to default files will be lost on update and are difficult to`
			`# manage and support.`
			`#`
			`# Please make any changes to system defaults by overriding them in`
			`# apps or $SPLUNK_HOME/etc/system/local`
			`# (See "Configuration file precedence" in the web documentation).`
			`#`
			`# To override a specific setting, copy the name of the stanza and`
			`# setting to the file where you wish to override it.`
			`#`
			`# This file contains possible attribute and value pairs for creating`
			`# dynamic field extractions.`
			`#`

			`TOKENIZER =`
			`INDEXED = False`
			`INDEXED_VALUE = True`

			`[source]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[index]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[sourcetype]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[_sourcetype]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[_indextime]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[host]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[linecount]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[punct]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[evtlog_id]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[evtlog_category]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[evtlog_severity]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[evtlog_account]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[evtlog_domain]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[evtlog_sid]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[evtlog_sid_type]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[date_year]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[date_month]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[date_mday]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[date_wday]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[date_hour]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[date_minute]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[date_second]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[date_zone]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[timeendpos]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[timestartpos]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[splunk_server]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[splunk_server_group]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`[splunk_federated_provider]`
			`INDEXED = True`
			`INDEXED_VALUE = False`

			`#[To]`
			`#TOKENIZER = (\w[\w.\-]@[\w.\-]\w)`

			`#[From]`
			`#TOKENIZER = (\w[\w.\-]@[\w.\-]\w)`

			`#[Cc]`
			`#TOKENIZER = (\w[\w.\-]@[\w.\-]\w)`

			`[sourcetype::splunk_resource_usage::data*]`
			`INDEXED = True`