Support for generating commands
Note: Preview features are provided by Splunk to you "as is" without any warranties, maintenance and support, or service level commitments. Splunk makes this preview feature available in its sole discretion and may discontinue it at any time. Use of preview features is subject to the Splunk General Terms.
When you set up searches with field filters, keep in mind that field filters only supports searches that use one of the following generating commands:
searchtstatstypeaheadwalklex
This means that the first command in the search string must be
However, the field filter is applied in the following search:
Technically, the
search, tstats, typeahead, or walklex. For example, the field filter is not applied in the following search because it uses inputcsv, which is an unsupported generating command:
CODE
| inputcsv ... | search ...
CODE
index=main | ....search command comes first in the pipeline, but doesn't actually need to be specified because it is implied. See Generating commands in the Search Reference.
Adding new fields
Don't use field filters to add new fields at search time. Use calculated fields for this purpose. See About calculated fields in the Knowledge Manager Manual.