Unable to find from where a field is being extracted

Path Finder

I have checked all my forwarder and indexer and search head apps. but unable to find from where a field it's extracted.

Tags (2)
0 Karma

Revered Legend

The field extraction can be set based on sourcetype, source OR host. So make sure you're looking for all relevant stanzas for your sourcetype/source/host. They can be extracted (EXTRACT/REPORT/TRANSFORM in props.conf) , calculated (EVAL in props.conf) OR derived (using lookups).

Do you see the value of the extracted field in your raw data?

0 Karma

Ultra Champion

How did you check all the apps? Manually, or by running btool?

Might be helpful if you provide a bit more info of what you are investigating...

0 Karma


Are you using any app or add-on for data indexing?

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!