Hi @verbal_666 

I see that the general consensus here is that its not possible, but you might find that you can achieve what you need using btool? I often use btool via  Admins Little Helper app's custom btool commad, such as:

|btool props list | search "myCustomField"

🌟 Did this answer help you? If so, please consider:

• Adding karma to show it was useful
• Marking it as the solution if it resolved your issue
• Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Short answer is - no.

Long answer is - there is no technical possibility to trace back statically that information. While you might be able to pinpoint "after a lot of time searching for the exact config" where the field came from, it is not possible without the results. Simply because some fields are not statically defined, but are dynamic.

The easiest example of this would be fields extracted by automatic key-value parsing. More interesting case would be dynamic field creation with brackets syntax (eval {something}="here I am!").

So if you wanted to have this information you'd have to:

1) Have a complete audit trace of every single operation in the search pipeline

2) Drag this monstrosity along with the results from the indexers to the searchheads... (not to mention cases like federated search).

So as usual - the question is simple, the answer isn't.

Hi @verbal_666 ,

for my knowledge, there isn't!

there's only the information in which app a field configuration (extraction, tramsformation, calculation, etc...) is defined, but there isn't any information on index time extractions.

In theory, you should be much structured in your activity to know and document where a configuration is done, nut rarely I found this this , especially if more people work on the same project.

Add this proposal to ideas.splunk.com; I'll vote for it!

Ciao.

Giuseppe