Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Custom field extractions no longer being indexed

felixjs
New Member
‎11-13-2011 09:44 PM

Hi All,

We have some indexes that have suddenly stopped indexing the custom fields we had configured on our logs.

There were some changes made to create a new deployment app at the time the problem started occurring, however I have still been unable to track down the cause of the issue. Can anyone assist in pointing me towards which config files I should be checking? Are there any troubleshooting tools that can assist?

Thanks,
Felix

Tags (1)
0 Karma
Reply

felixjs
New Member
‎11-14-2011 08:04 PM

Thanks for the responses - Sourcetype has not been changed. There is another index that is correctly extracting the fields for the same sourcetype.

ie
- Logs from sourcetype Z in index A are indexing but not extracting the fields.
- Logs from sourcetype Z in index B are indexing and extracting the fields correctly.

Can't seem to find where the disconnect may be, I have gone through all the config... Any assistance is much appreciated. Thanks

0 Karma
Reply

Drainy
Champion
‎11-14-2011 02:43 AM

Has the sourcetype of the forwarded data been changed in the deployment app update?
It could be that the received data is now of a different sourcetype and isn't being extracted as before.

0 Karma
Reply

Takajian
Builder
‎11-14-2011 01:26 AM

Do you mean this issue has occurred since you created new App? If so, new App setting seems to affect the issue.
I guest your New App permission affect the old App. Could you check it by looking at the manager-> app -> sharing permissions? If new App is "global" setting, it means it affect others.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...