https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Field-Extractor/m-p/759789#M24073 <P>One addition.</P><P>As it has already said this is just for one sourcetype. Then depending on what you have defined for it's permissions, it could be available only for you, only inside one application for all user inside it's context or globally for all applications and all users (unless some application has same named extractions).</P> Mon, 30 Mar 2026 17:32:22 GMT isoutamo 2026-03-30T17:32:22Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Field-Extractor/m-p/759773#M24067 <P>I am new to Splunk Enterprise and I have a question.<BR />when add new field extraction using Splunk Field Extractor, does the parser it self will be modified and the new field will be applied to all logs by default?<BR />also do I have to submit any changes to do so or edit any configuration file?</P> Mon, 30 Mar 2026 09:55:48 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Field-Extractor/m-p/759773#M24067 osama_11 2026-03-30T09:55:48Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Field-Extractor/m-p/759774#M24068 <P>The Field Extractor creates relevant configuration entries on the component you're running it on (or across the whole cluster if you're using search head clustering).</P><P>The fields will not be applied to _all logs_, just to the specific sourcetype you ran your extractor on.</P><P>Anyway, Field Extractor is nice for presentations and showing how schema-on-read works but for production use it's usually better to handle extractions manually in config files.</P> Mon, 30 Mar 2026 12:55:22 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Field-Extractor/m-p/759774#M24068 PickleRick 2026-03-30T12:55:22Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Field-Extractor/m-p/759789#M24073 <P>One addition.</P><P>As it has already said this is just for one sourcetype. Then depending on what you have defined for it's permissions, it could be available only for you, only inside one application for all user inside it's context or globally for all applications and all users (unless some application has same named extractions).</P> Mon, 30 Mar 2026 17:32:22 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Field-Extractor/m-p/759789#M24073 isoutamo 2026-03-30T17:32:22Z https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Field-Extractor/m-p/759793#M24074 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/316434">@osama_11</a>&nbsp;The field extraction will only apply to events of the defined sourcetype, not globally.</P><P>Could you please clarify whether you are planning to use these field extractions just for testing, or to roll them out in production?</P><P>That will help to determine whether the Field Extractor is sufficient or if you should move to manual configuration management. For production roll out, it is best to manage it via props &amp; transforms configuration files in Splunk.</P><P>Refer Field extraction configuration in the documentation:</P><P><A href="https://help.splunk.com/en/data-management/splunk-enterprise-admin-manual/9.2/configuration-file-reference/9.2.8-configuration-file-reference/props.conf" target="_blank" rel="noopener">props.conf | Platform (last updated 2025-07-30T21:23:14.766Z)</A></P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.2.12/Admin/Transformsconf" target="_blank" rel="noopener">transforms.conf - Splunk Documentation</A></P><P><SPAN>&gt;&gt;</SPAN></P><P><SPAN>If this post addressed your question, you can:</SPAN></P><UL><LI><SPAN>Give it&nbsp;</SPAN><SPAN>karma</SPAN><SPAN>&nbsp;to show appreciation&nbsp;<span class="lia-unicode-emoji" title=":thumbs_up:">👍</span></SPAN></LI><LI><SPAN>Mark it as the&nbsp;</SPAN><SPAN>solution</SPAN><SPAN>&nbsp;if it solved your issue&nbsp;<span class="lia-unicode-emoji" title=":heavy_check_mark:">✔️</span></SPAN></LI><LI><SPAN>Add a&nbsp;</SPAN><SPAN>comment</SPAN><SPAN>&nbsp;if you’d like more details&nbsp;<span class="lia-unicode-emoji" title=":pencil:">✏️</span></SPAN></LI></UL><P><SPAN>Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.</SPAN></P><P><SPAN>&gt;&gt;</SPAN></P> Mon, 30 Mar 2026 18:00:46 GMT https://community.splunk.com/t5/Splunk-Enterprise/Splunk-Field-Extractor/m-p/759793#M24074 kknairr 2026-03-30T18:00:46Z