Splunk Search

Custom field extractions no longer being indexed

felixjs
New Member

Hi All,

We have some indexes that have suddenly stopped indexing the custom fields we had configured on our logs.

There were some changes made to create a new deployment app at the time the problem started occurring, however I have still been unable to track down the cause of the issue. Can anyone assist in pointing me towards which config files I should be checking? Are there any troubleshooting tools that can assist?

Thanks,
Felix

Tags (1)
0 Karma

felixjs
New Member

Thanks for the responses - Sourcetype has not been changed. There is another index that is correctly extracting the fields for the same sourcetype.

ie
- Logs from sourcetype Z in index A are indexing but not extracting the fields.
- Logs from sourcetype Z in index B are indexing and extracting the fields correctly.

Can't seem to find where the disconnect may be, I have gone through all the config... Any assistance is much appreciated. Thanks

0 Karma

Drainy
Champion

Has the sourcetype of the forwarded data been changed in the deployment app update?
It could be that the received data is now of a different sourcetype and isn't being extracted as before.

0 Karma

Takajian
Builder

Do you mean this issue has occurred since you created new App? If so, new App setting seems to affect the issue.
I guest your New App permission affect the old App. Could you check it by looking at the manager-> app -> sharing permissions? If new App is "global" setting, it means it affect others.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...