Custom field extractions no longer being indexed

felixjs · ‎11-13-2011

Hi All,

We have some indexes that have suddenly stopped indexing the custom fields we had configured on our logs.

There were some changes made to create a new deployment app at the time the problem started occurring, however I have still been unable to track down the cause of the issue. Can anyone assist in pointing me towards which config files I should be checking? Are there any troubleshooting tools that can assist?

Thanks,
Felix

felixjs · ‎11-14-2011

Thanks for the responses - Sourcetype has not been changed. There is another index that is correctly extracting the fields for the same sourcetype.

ie
- Logs from sourcetype Z in index A are indexing but not extracting the fields.
- Logs from sourcetype Z in index B are indexing and extracting the fields correctly.

Can't seem to find where the disconnect may be, I have gone through all the config... Any assistance is much appreciated. Thanks

Drainy · ‎11-14-2011

Has the sourcetype of the forwarded data been changed in the deployment app update?
It could be that the received data is now of a different sourcetype and isn't being extracted as before.

Takajian · ‎11-14-2011

Do you mean this issue has occurred since you created new App? If so, new App setting seems to affect the issue.
I guest your New App permission affect the old App. Could you check it by looking at the manager-> app -> sharing permissions? If new App is "global" setting, it means it affect others.

Custom field extractions no longer being indexed

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk