Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: field extraction disappeard, could this happen...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
field extraction disappeard, could this happen after a reinstall of the forwarder
Hi, one of our admins has reinstalled a fowarder. No we have issues with data that is not coming through anymore but it also seems that field extractions I have made earlier are lost while the initial data is not. Is this possible after a reinstall or can this have another cause? I am not sure where splunk stores the data of the extractions etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I presume you mean a universal forwarder?
When it was reinstalled, was it configured to use your deployment server - If not it wont have any output configuration, which could be one reason you are not getting data from it anymore.
With regard to extractions - no.
Reinstalling a UF should have no impact on field extractions, because a UF only sends data to Heavy Forwarders or indexers. If you have index extractions, this is where these take place, and the config will be in your props/transforms on the HF/IDX.
Search time extraction are configured on the search head, so is even further removed from the UF.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @nickhillscpl, thanks for your response. I have fieldextractions throug the 'field extractor' under 'settings'.
Are these 'search time extractions' ?
For your other comments i wil contact the admin because this is not my cup of tea, i was only wondering.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, these will exist only on the search head.
Its not unheard of for them to stop working but normally its for one of the following reasons, in descending likelihood.
- The extractions were created in one app, and you are trying to use them from another app.
- Someone else has edited them, or moved them.
- Permission have been changed/wrong user
- The source data format has changed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's why I am lost, none of the above is the case. Then again, whether someone has changed them is not something I can check
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your not by chance searching in Fast mode are you?
Fast mode will skip listing extracted fields (on the left pane) in favour of speed.
Verbose mode will list out all of the extractions which match your data.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
