The splunk_hec sink does not index fields by default

This gives you full control over which fields are indexed

by
Author avatar for binarylogic Ben Johnson

There is no longer a distinction within Vector between explicit and implicit event fields. All fields are now implicit and therefore the splunk_hec sink will not index any fields by default.

Upgrade Guide

In order to mark desired fields as indexed you can use the optional configuration option indexed_fields:

 sinks:
   my_sink_id:
     type: "splunk_hec"
     inputs: ["my-source-id"]
+    indexed_fields: ["foo", "bar"]