Custom field extractions no longer being indexed

felixjs · ‎11-13-2011

Hi All,

We have some indexes that have suddenly stopped indexing the custom fields we had configured on our logs.

There were some changes made to create a new deployment app at the time the problem started occurring, however I have still been unable to track down the cause of the issue. Can anyone assist in pointing me towards which config files I should be checking? Are there any troubleshooting tools that can assist?

Thanks,
Felix

felixjs · ‎11-14-2011

Thanks for the responses - Sourcetype has not been changed. There is another index that is correctly extracting the fields for the same sourcetype.

ie
- Logs from sourcetype Z in index A are indexing but not extracting the fields.
- Logs from sourcetype Z in index B are indexing and extracting the fields correctly.

Can't seem to find where the disconnect may be, I have gone through all the config... Any assistance is much appreciated. Thanks

Drainy · ‎11-14-2011

Has the sourcetype of the forwarded data been changed in the deployment app update?
It could be that the received data is now of a different sourcetype and isn't being extracted as before.

Takajian · ‎11-14-2011

Do you mean this issue has occurred since you created new App? If so, new App setting seems to affect the issue.
I guest your New App permission affect the old App. Could you check it by looking at the manager-> app -> sharing permissions? If new App is "global" setting, it means it affect others.

Custom field extractions no longer being indexed

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms