Splunk Search

Locate where field extractions are used

sheltomt
Path Finder

Is there a way to determine everywhere that a field extraction is used? We're turning down an app and it just dawned on me that some of these Global extractions might be used elsewhere.

We'd like to identify them and move them into a neutral location

Tags (1)
1 Solution

somesoni2
SplunkTrust
SplunkTrust

I'm guessing you want to know where all (saved/adhoc knowledge objects) where those globally extracted fields are being used. If so, you can use queries from below post, and adjust your where clause according to the field name whose usage you want to search.

https://answers.splunk.com/answers/610573/sourcetypes-list-of-where-theyre-being-used.html#comment-6...

View solution in original post

nickhills
Ultra Champion

Take a look at @martin_mueller 's excellent Knowledge Object Explorer:
https://splunkbase.splunk.com/app/2871/

It allows you to explore your fields, aliases, eventtypes and datamodels by application, so you can see which app they have been created in, and to what they apply.

If my comment helps, please give it a thumbs up!
0 Karma

somesoni2
SplunkTrust
SplunkTrust

I'm guessing you want to know where all (saved/adhoc knowledge objects) where those globally extracted fields are being used. If so, you can use queries from below post, and adjust your where clause according to the field name whose usage you want to search.

https://answers.splunk.com/answers/610573/sourcetypes-list-of-where-theyre-being-used.html#comment-6...

sheltomt1
Explorer

I'm certainly a Junior admin in Splunk, so please forgive my ignorance

If I do

| rest /servicesNS/-/-/data/props/extractions splunk_server=local|rename eai:acl.app as App |search App=MyApp

I certainly get a list of field extractions. However, I'm not seeing anything in here that ties those extractions to "where am I being used"

I'm probably just missing something obvious here.

sheltomt
Path Finder

I got it, sorry. Too early in the morning.

For anyone else finding this on a future search: In the results from the rest query above, Stanza field maps to Sourcetype.

Simply follow somesoni2's link above, to my previous question. Use your newly found Extraction sourcetypes in those queries, and you'll be set.

mayurr98
Super Champion

Mostly extractions are you used in props.conf,transforms.conf and sometimes they are used in inputs.conf as well.

Well normally global extractions are placed in /etc/system/local
If you want to see all the paths of a file say props.conf file then you can use locate command on the terminal
locate props.conf and it will gibe you all the paths containing props.conf.
Let me know if this helps !

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...