#   Version 9.2.2.20240415
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local  
# (See "Configuration file precedence" in the web documentation).
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
#
# This file contains possible attribute and value pairs for creating
# dynamic field extractions.
#

TOKENIZER = 
INDEXED = False
INDEXED_VALUE = True

[source]
INDEXED = True
INDEXED_VALUE = False

[index]
INDEXED = True
INDEXED_VALUE = False

[sourcetype]
INDEXED = True
INDEXED_VALUE = False

[_sourcetype]
INDEXED = True
INDEXED_VALUE = False

[_indextime]
INDEXED = True
INDEXED_VALUE = False

[host]
INDEXED = True
INDEXED_VALUE = False

[linecount]
INDEXED = True
INDEXED_VALUE = False

[punct]
INDEXED = True
INDEXED_VALUE = False

[evtlog_id]
INDEXED = True
INDEXED_VALUE = False

[evtlog_category]
INDEXED = True
INDEXED_VALUE = False

[evtlog_severity]
INDEXED = True
INDEXED_VALUE = False

[evtlog_account]
INDEXED = True
INDEXED_VALUE = False

[evtlog_domain]
INDEXED = True
INDEXED_VALUE = False

[evtlog_sid]
INDEXED = True
INDEXED_VALUE = False

[evtlog_sid_type]
INDEXED = True
INDEXED_VALUE = False

[date_year]
INDEXED = True
INDEXED_VALUE = False

[date_month]
INDEXED = True
INDEXED_VALUE = False

[date_mday]
INDEXED = True
INDEXED_VALUE = False

[date_wday]
INDEXED = True
INDEXED_VALUE = False

[date_hour]
INDEXED = True
INDEXED_VALUE = False

[date_minute]
INDEXED = True
INDEXED_VALUE = False

[date_second]
INDEXED = True
INDEXED_VALUE = False

[date_zone]
INDEXED = True
INDEXED_VALUE = False

[timeendpos]
INDEXED = True
INDEXED_VALUE = False

[timestartpos]
INDEXED = True
INDEXED_VALUE = False

[splunk_server]
INDEXED = True
INDEXED_VALUE = False

[splunk_server_group]
INDEXED = True
INDEXED_VALUE = False

[splunk_federated_provider]
INDEXED = True
INDEXED_VALUE = False

#[To]
#TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w)

#[From]
#TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w)

#[Cc]
#TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w)

[sourcetype::splunk_resource_usage::data*]
INDEXED = True