https://community.splunk.com/t5/Getting-Data-In/How-find-index-time-field-extractions/m-p/466736#M80417 <P>Hello all,</P> <P>Our environment has some custom index-time field extractions we find to be very useful (yes, I know Splunk doesn't recommend this). Though due to the possible performance implications of this practice, I want to be 100% confident I know where all index-time fields exist in our indexes.</P> <P>At first, I thought this would be easy, throw a |tstats command together... when it dawned on me I have no idea how to do this.</P> <P>So, if anyone can think of how to get a list of indexes/sources/sourcetypes which contain non-standard index-time field extractions, that'd be a life-saver!</P> <P>Thanks for any help.</P> Tue, 17 Dec 2019 16:44:13 GMT adamsmith47 2019-12-17T16:44:13Z https://community.splunk.com/t5/Getting-Data-In/How-find-index-time-field-extractions/m-p/466736#M80417 <P>Hello all,</P> <P>Our environment has some custom index-time field extractions we find to be very useful (yes, I know Splunk doesn't recommend this). Though due to the possible performance implications of this practice, I want to be 100% confident I know where all index-time fields exist in our indexes.</P> <P>At first, I thought this would be easy, throw a |tstats command together... when it dawned on me I have no idea how to do this.</P> <P>So, if anyone can think of how to get a list of indexes/sources/sourcetypes which contain non-standard index-time field extractions, that'd be a life-saver!</P> <P>Thanks for any help.</P> Tue, 17 Dec 2019 16:44:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-find-index-time-field-extractions/m-p/466736#M80417 adamsmith47 2019-12-17T16:44:13Z https://community.splunk.com/t5/Getting-Data-In/How-find-index-time-field-extractions/m-p/466737#M80418 <P>| tstats count where index=yourindex by yourindexedfield</P> <P>If it works, you're in business, if not... sadly no.</P> <P>You could also do a conventional search like </P> <P>index=foo fieldname::value</P> <P>If that works, it's an indexed field.</P> Tue, 17 Dec 2019 20:37:37 GMT https://community.splunk.com/t5/Getting-Data-In/How-find-index-time-field-extractions/m-p/466737#M80418 martynoconnor 2019-12-17T20:37:37Z https://community.splunk.com/t5/Getting-Data-In/How-find-index-time-field-extractions/m-p/466738#M80419 <P>Ill add to this that you need to make sure you have the correct configurations deployed on your SH for indexed fields for them to be properly recognized via *<EM>fields.conf</EM> ( <A href="https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/Configureindex-timefieldextraction">https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/Configureindex-timefieldextraction</A>) </P> Tue, 17 Dec 2019 21:06:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-find-index-time-field-extractions/m-p/466738#M80419 esix_splunk 2019-12-17T21:06:02Z