- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Though this has been discussed on Splunk Answers, the prevailing solution has not worked for me.
As per the discussions on Splunk Answers, I've switched the "intention" and "replacementMap" params in my xml, but as soon as I populate the search field, the error is thrown. If I leave it blank, it uses the default value from the xml, but that's as much luck as I can wrangle.
Below is the EFS section modified as per prevailing recommendations:
<module name="ExtendedFieldSearch"
layoutPanel="viewHeader">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="sourcetypeToken">
<param name="default">*</param>
<param name="fillOnEmpty">True</param>
</param>
</param>
</param> <param name="replacementMap">
<param name="arg">
<param name="sourcetypeToken"/>
</param>
</param>
<param name="field">sourcetype</param>
<param name="q">splunkd</param>
...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are right that the "accepted" answer here is wrong. However, the other upvoted answer by dmlee is correct.
Swapping the sections I would not expect to have any effect. However, your replacmentMap arg needs a value:
<module name="ExtendedFieldSearch" layoutPanel="viewHeader">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="sourcetypeToken">
<param name="default">*</param>
<param name="fillOnEmpty">True</param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="sourcetypeToken">
<param name="value"></param>
</param>
</param>
</param>
<param name="field">sourcetype</param>
<param name="q">splunkd</param>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are right that the "accepted" answer here is wrong. However, the other upvoted answer by dmlee is correct.
Swapping the sections I would not expect to have any effect. However, your replacmentMap arg needs a value:
<module name="ExtendedFieldSearch" layoutPanel="viewHeader">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="sourcetypeToken">
<param name="default">*</param>
<param name="fillOnEmpty">True</param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="sourcetypeToken">
<param name="value"></param>
</param>
</param>
</param>
<param name="field">sourcetype</param>
<param name="q">splunkd</param>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what have you changed? only added
?
