Administrator
/
Splunk_Docker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
Splunk_Docker/files/splunkbeta/etc/system/default/fields.conf

144 lines
2.2 KiB
Raw Permalink Blame History

# Version 9.2.2.20240415
# DO NOT EDIT THIS FILE!
# Changes to default files will be lost on update and are difficult to
# manage and support.
#
# Please make any changes to system defaults by overriding them in
# apps or $SPLUNK_HOME/etc/system/local
# (See "Configuration file precedence" in the web documentation).
#
# To override a specific setting, copy the name of the stanza and
# setting to the file where you wish to override it.
#
# This file contains possible attribute and value pairs for creating
# dynamic field extractions.
#
TOKENIZER =
INDEXED = False
INDEXED_VALUE = True
[source]
INDEXED = True
INDEXED_VALUE = False
[index]
INDEXED = True
INDEXED_VALUE = False
[sourcetype]
INDEXED = True
INDEXED_VALUE = False
[_sourcetype]
INDEXED = True
INDEXED_VALUE = False
[_indextime]
INDEXED = True
INDEXED_VALUE = False
[host]
INDEXED = True
INDEXED_VALUE = False
[linecount]
INDEXED = True
INDEXED_VALUE = False
[punct]
INDEXED = True
INDEXED_VALUE = False
[evtlog_id]
INDEXED = True
INDEXED_VALUE = False
[evtlog_category]
INDEXED = True
INDEXED_VALUE = False
[evtlog_severity]
INDEXED = True
INDEXED_VALUE = False
[evtlog_account]
INDEXED = True
INDEXED_VALUE = False
[evtlog_domain]
INDEXED = True
INDEXED_VALUE = False
[evtlog_sid]
INDEXED = True
INDEXED_VALUE = False
[evtlog_sid_type]
INDEXED = True
INDEXED_VALUE = False
[date_year]
INDEXED = True
INDEXED_VALUE = False
[date_month]
INDEXED = True
INDEXED_VALUE = False
[date_mday]
INDEXED = True
INDEXED_VALUE = False
[date_wday]
INDEXED = True
INDEXED_VALUE = False
[date_hour]
INDEXED = True
INDEXED_VALUE = False
[date_minute]
INDEXED = True
INDEXED_VALUE = False
[date_second]
INDEXED = True
INDEXED_VALUE = False
[date_zone]
INDEXED = True
INDEXED_VALUE = False
[timeendpos]
INDEXED = True
INDEXED_VALUE = False
[timestartpos]
INDEXED = True
INDEXED_VALUE = False
[splunk_server]
INDEXED = True
INDEXED_VALUE = False
[splunk_server_group]
INDEXED = True
INDEXED_VALUE = False
[splunk_federated_provider]
INDEXED = True
INDEXED_VALUE = False
#[To]
#TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w)
#[From]
#TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w)
#[Cc]
#TOKENIZER = (\w[\w.\-]*@[\w.\-]*\w)
[sourcetype::splunk_resource_usage::data*]
INDEXED = True
Reference in new issue View Git Blame Copy Permalink

Powered by BW's shoe-string budget.