Solved: Where do INDEXED_EXTRACTIONS happen?

joxley · ‎12-04-2015

I have a Universal Forwarder reading data in a Tab Separated format. I want to apply the INDEXED_EXTRACTIONS = TSV to it.

Do I need to put that on the Indexer or the Forwarder?

A further question is that if the file is being appended to and the top line contains the headers, do I have to wait for the file to be rotated before I'll get the field extractions?

woodcock · ‎12-05-2015

You have to put this on every Forwarder and then restart all splunk instances there; read about this caveat here:

http://docs.splunk.com/Documentation/Splunk/6.0/Data/Extractfieldsfromfileheadersatindextime#Caveats

View solution in original post

woodcock · ‎12-05-2015

You have to put this on every Forwarder and then restart all splunk instances there; read about this caveat here:

http://docs.splunk.com/Documentation/Splunk/6.0/Data/Extractfieldsfromfileheadersatindextime#Caveats

Where do INDEXED_EXTRACTIONS happen?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation