Splunk Search

Custom field extractions no longer being indexed

felixjs
New Member

Hi All,

We have some indexes that have suddenly stopped indexing the custom fields we had configured on our logs.

There were some changes made to create a new deployment app at the time the problem started occurring, however I have still been unable to track down the cause of the issue. Can anyone assist in pointing me towards which config files I should be checking? Are there any troubleshooting tools that can assist?

Thanks,
Felix

Tags (1)
0 Karma

felixjs
New Member

Thanks for the responses - Sourcetype has not been changed. There is another index that is correctly extracting the fields for the same sourcetype.

ie
- Logs from sourcetype Z in index A are indexing but not extracting the fields.
- Logs from sourcetype Z in index B are indexing and extracting the fields correctly.

Can't seem to find where the disconnect may be, I have gone through all the config... Any assistance is much appreciated. Thanks

0 Karma

Drainy
Champion

Has the sourcetype of the forwarded data been changed in the deployment app update?
It could be that the received data is now of a different sourcetype and isn't being extracted as before.

0 Karma

Takajian
Builder

Do you mean this issue has occurred since you created new App? If so, new App setting seems to affect the issue.
I guest your New App permission affect the old App. Could you check it by looking at the manager-> app -> sharing permissions? If new App is "global" setting, it means it affect others.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!