Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Field Extractor

osama_11
New Member
‎03-30-2026 02:55 AM

I am new to Splunk Enterprise and I have a question.
when add new field extraction using Splunk Field Extractor, does the parser it self will be modified and the new field will be applied to all logs by default?
also do I have to submit any changes to do so or edit any configuration file?

Labels (2)
0 Karma
Reply

kknairr
Contributor
‎03-30-2026 11:00 AM

@osama_11 The field extraction will only apply to events of the defined sourcetype, not globally.

Could you please clarify whether you are planning to use these field extractions just for testing, or to roll them out in production?

That will help to determine whether the Field Extractor is sufficient or if you should move to manual configuration management. For production roll out, it is best to manage it via props & transforms configuration files in Splunk.

Refer Field extraction configuration in the documentation:

props.conf | Platform (last updated 2025-07-30T21:23:14.766Z)

transforms.conf - Splunk Documentation

>>

If this post addressed your question, you can:

  • Give it karma to show appreciation 👍
  • Mark it as the solution if it solved your issue ✔️
  • Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-30-2026 05:55 AM

The Field Extractor creates relevant configuration entries on the component you're running it on (or across the whole cluster if you're using search head clustering).

The fields will not be applied to _all logs_, just to the specific sourcetype you ran your extractor on.

Anyway, Field Extractor is nice for presentations and showing how schema-on-read works but for production use it's usually better to handle extractions manually in config files.

Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-30-2026 10:32 AM

One addition.

As it has already said this is just for one sourcetype. Then depending on what you have defined for it's permissions, it could be available only for you, only inside one application for all user inside it's context or globally for all applications and all users (unless some application has same named extractions).

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...