Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

field extraction disappeard, could this happen after a reinstall of the forwarder

Mike6960
Path Finder
‎12-20-2017 02:40 AM

Hi, one of our admins has reinstalled a fowarder. No we have issues with data that is not coming through anymore but it also seems that field extractions I have made earlier are lost while the initial data is not. Is this possible after a reinstall or can this have another cause? I am not sure where splunk stores the data of the extractions etc.

0 Karma
Reply

nickhills
Ultra Champion
‎12-20-2017 02:53 AM

I presume you mean a universal forwarder?

When it was reinstalled, was it configured to use your deployment server - If not it wont have any output configuration, which could be one reason you are not getting data from it anymore.

With regard to extractions - no.
Reinstalling a UF should have no impact on field extractions, because a UF only sends data to Heavy Forwarders or indexers. If you have index extractions, this is where these take place, and the config will be in your props/transforms on the HF/IDX.
Search time extraction are configured on the search head, so is even further removed from the UF.

If my comment helps, please give it a thumbs up!
0 Karma
Reply

Mike6960
Path Finder
‎12-20-2017 03:10 AM

Hi @nickhillscpl, thanks for your response. I have fieldextractions throug the 'field extractor' under 'settings'.
Are these 'search time extractions' ?

For your other comments i wil contact the admin because this is not my cup of tea, i was only wondering.

0 Karma
Reply

nickhills
Ultra Champion
‎12-20-2017 03:22 AM

Yes, these will exist only on the search head.

Its not unheard of for them to stop working but normally its for one of the following reasons, in descending likelihood.

  • The extractions were created in one app, and you are trying to use them from another app.
  • Someone else has edited them, or moved them.
  • Permission have been changed/wrong user
  • The source data format has changed
If my comment helps, please give it a thumbs up!
0 Karma
Reply

Mike6960
Path Finder
‎12-20-2017 04:01 AM

That's why I am lost, none of the above is the case. Then again, whether someone has changed them is not something I can check

0 Karma
Reply

nickhills
Ultra Champion
‎12-21-2017 01:51 AM

Your not by chance searching in Fast mode are you?
Fast mode will skip listing extracted fields (on the left pane) in favour of speed.
Verbose mode will list out all of the extractions which match your data.

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...