topic Re: Why does field extraction only work when "| extract reload=T" is added to search? in Splunk Search

Why does field extraction only work when "| extract reload=T" is added to search?

muebel — Mon, 28 Dec 2015 20:40:29 GMT

I've got a fairly simple field extraction specified by a props.conf REPORT directive pointed to a transforms.conf spec. The REPORT directive is within a sourcetype spec'd stanza.

The transforms.conf spec has a SOURCE_KEY value that is a autokv extracted field that is null in some events (i.e. "key=" as a null while positive events are key=value). The only other directive for this stanza is the REGEX, which works via rex command.

With this config set, and after a splunk restart, the extracted field fails to show up in search results on the sourcetype. However, if I run the same search, and append a | extract reload=T to the end, the field shows up.

This is very confusing. Does anybody have any explanation as to what could be going on here?

Re: Why does field extraction only work when "| extract reload=T" is added to search?

sundareshr — Mon, 28 Dec 2015 20:55:26 GMT

The problem is probably in your REGEX OR the order in which the extractions are being executed. Try using the btool to troubleshoot the order and see if that fixes your problem. You should almost never have to use the | extract reload=t directive.

Re: Why does field extraction only work when "| extract reload=T" is added to search?

jkat54 — Sat, 27 Aug 2016 12:06:44 GMT

Are the props and transforms on the search head in the app that you are searching from?

Report- is a search time extraction and needs to be in the app or exported globally and needs to be on the search head.

Re: Why does field extraction only work when "| extract reload=T" is added to search?

jkat54 — Sat, 27 Aug 2016 12:08:59 GMT

Oh sorry muebel, didn't see this was you... I'm sure you've already crossed these T's and dotted these I's

Re: Why does field extraction only work when "| extract reload=T" is added to search?

woodcock — Sun, 28 Aug 2016 22:36:33 GMT

This directive causes an immediate single-session (for you, not necessarily Search-Head-wide) reload of all of your Search Head KOs. This is particularly useful if you are not an admin and cannot force a reboot of the Search Head and cannot call the bump REST endpoint, both of which will also cause a (global) reload of the KOs.

In your case, the key thing to note is that you should only need to do this ONE TIME to pull in the KOs. Once your new Search-Time KOs are functioning, you can stop using it, because the work has been done.

Re: Why does field extraction only work when "| extract reload=T" is added to search?

martynoconnor — Tue, 04 Jun 2019 00:09:18 GMT

Extract reload=t forces a refresh of props and transforms. When you make changes to props and transforms in most cases you need a restart of Splunk to ensure those changes are applied. extract reload=t is a way of circumventing that. You will likely find that a simple restart of Splunk means you don't need to use this workaround.

Re: Why does field extraction only work when "| extract reload=T" is added to search?

tprz — Thu, 09 Apr 2020 23:43:02 GMT

I got this figured out for my instance.

I had a user who built transforms based field extractions that targeted the "log" field that was being extracted from the json formatted data.

The extraction worked with | extract reload=true, but not without it.

My fix was to go under that sourcetype in props and manually extract the json formatted fields before the calls to the transforms happened

props.conf
KV_MODE = json
REPORT-user-extract = whatever
REPORT-user-extract2 = whatever2