Indexed field case 3 - application from source

A common requirement is to be able to search for events from a particular web application. Often, the only easy way to determine the application that created the logs is by inspecting the path to the logs, which Splunk stores in the indexed field source. For example, given the following path, the application name is app_one:

/opt/instance19/apps/app_one/logs/important.log 

You can search for this instance using source="*/app_one/*", but this effectively initiates a full table scan. You can define an extracted field and then search for app="app_one", but unfortunately, this approach will also be no more efficient because the word we're looking for is not contained in the field _raw. If we define this field as an indexed field, app="app_one" will be an efficient search.

Once again, if you only need this field for reporting, the extracted field is just fine.