Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to override default for INDEXED_EXTRACTIONS?

lumpymilk
Explorer
‎08-11-2020 04:43 PM

According to documentation here, under the title "Clear a setting":
https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Howtoeditaconfigurationfile


A configuration setting that appears in default can be overridden by an empty setting in local. This often works for things like FIELDALIAS, EVAL, EXTRACT, REPORT and others except I notice it does NOT work for the INDEXED_EXTRACTIONS setting. It looks like the routine that validates this setting will choke if one of the known-good values is not present. So then, if a vendor set INDEXED_EXTRACTIONS=json in their add-on, I might try and set INDEXED_EXTRACTIONS= in the local/props.conf for that same sourcetype, hoping to instead do my JSON on a select few json nodes.

If I did try that, and as Splunk has documented it, then I would find the file would no longer be read in at all. Instead I'd find the following in splunkd.log:

ERROR IndexedExtractionsConfig - Invalid value=''  for parameter='INDEXED_EXTRACTIONS'.

and that would be followed by:

ERROR TailReader - Ignoring path="/myvendorApp/logs/filename.log" due to: Invalid indexed extractions configuration - see prior error messages

If anyone knows how to make this work for INDEXED_EXTRACTIONS, please let me know.

Labels (1)
Labels
Reply

yeahnah
Motivator
‎08-28-2024 05:43 PM

Anyone who comes across this issue please upvote the following idea for a configuration option to disable INDEXED_EXTRACTIONS via an app's local props.conf.  

https://ideas.splunk.com/ideas/EID-I-2400

0 Karma
Reply

dbot2001
Path Finder
‎02-24-2022 09:55 AM

Just hit this issue, did you find a solution?

0 Karma
Reply

to4kawa
Ultra Champion
‎08-11-2020 04:47 PM

what's your props.conf?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...