https://community.splunk.com/t5/Splunk-Search/which-props-conf-do-i-modify-for-search-time-field-extraction/m-p/27975#M5483 <P>Thanks! The field is showing up in search results now. I had an invalid character in my field name. I accidentally used - instead of _. Now I have a new problem. I can see the field and all valid values of the field with relative percentages. However, if I click on one of those values to search by it, I get 0 results/No matching events found. Given that it just showed me the count of all the events with that value, that doesn't seem right. Note that if I search by field="*", I get all results, but any specific value returns no results. Has anyone seen that before? Should I start a new thread?</P> Wed, 15 Jun 2011 17:14:10 GMT builder 2011-06-15T17:14:10Z https://community.splunk.com/t5/Splunk-Search/which-props-conf-do-i-modify-for-search-time-field-extraction/m-p/27973#M5481 <P>I am new to splunk so forgive my ignorance. My set up is that I have splunk forwarders sending data to two load balanced indexers. I then have a search head that uses the indexers as search peers. I am reading documentation about setting up search-time field extraction in props.conf. I have been playing around with it and it's not behaving as expected. However, I just realized, I'm not sure if I am supposed to be modifying props.conf on my search head or on my indexers. I was doing it on my search head with no success, but then it occurred to me that since the search head uses the indexers as search peers, maybe it should be done there? Can anyone confirm the correct place to put the field extractions?</P> <P>Thanks!</P> Wed, 15 Jun 2011 00:32:29 GMT https://community.splunk.com/t5/Splunk-Search/which-props-conf-do-i-modify-for-search-time-field-extraction/m-p/27973#M5481 builder 2011-06-15T00:32:29Z https://community.splunk.com/t5/Splunk-Search/which-props-conf-do-i-modify-for-search-time-field-extraction/m-p/27974#M5482 <P>You should be putting search-time configuration onto your search head. Look at <A href="http://www.splunk.com/base/Documentation/latest/Deploy/Whatisdistributedsearch">http://www.splunk.com/base/Documentation/latest/Deploy/Whatisdistributedsearch</A> under "What search heads send to search peers". When you do a distributed search, the search head will replicate its search-time configuration data to all of the search peer indexers.</P> <P>Now, considering this is what you have done, I'm not sure what needs to be done to further diagnose why your extractions are not working as desired. You should probably check your various splunkd.log files for error messages related to bundle replication. </P> Wed, 15 Jun 2011 00:56:25 GMT https://community.splunk.com/t5/Splunk-Search/which-props-conf-do-i-modify-for-search-time-field-extraction/m-p/27974#M5482 dwaddle 2011-06-15T00:56:25Z https://community.splunk.com/t5/Splunk-Search/which-props-conf-do-i-modify-for-search-time-field-extraction/m-p/27975#M5483 <P>Thanks! The field is showing up in search results now. I had an invalid character in my field name. I accidentally used - instead of _. Now I have a new problem. I can see the field and all valid values of the field with relative percentages. However, if I click on one of those values to search by it, I get 0 results/No matching events found. Given that it just showed me the count of all the events with that value, that doesn't seem right. Note that if I search by field="*", I get all results, but any specific value returns no results. Has anyone seen that before? Should I start a new thread?</P> Wed, 15 Jun 2011 17:14:10 GMT https://community.splunk.com/t5/Splunk-Search/which-props-conf-do-i-modify-for-search-time-field-extraction/m-p/27975#M5483 builder 2011-06-15T17:14:10Z https://community.splunk.com/t5/Splunk-Search/which-props-conf-do-i-modify-for-search-time-field-extraction/m-p/27976#M5484 <P>Just going to start a new thread as this one seems to have died. : P</P> Thu, 16 Jun 2011 17:44:23 GMT https://community.splunk.com/t5/Splunk-Search/which-props-conf-do-i-modify-for-search-time-field-extraction/m-p/27976#M5484 builder 2011-06-16T17:44:23Z