Hi,
How to find whether a field is extracted at index time (or) search time?
Hi
You could use walklex command to get list of index time extractions. Rest of fields are search time extracted.
| walklex index=main type=field
| dedup field
| table field
https://docs.splunk.com/Documentation/Splunk/8.1.0/SearchReference/Walklex
r. Ismo
I am getting below error in Splunk PROD
Unknown search command 'walklex'.