- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field Extractions Vary Per App
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Field Extractions Vary Per App
I am running into this very strange issue. Our splunk instance is setup to extract fields at index time. What I am seeing is that the extractions are successful when using the Search & Reporting app, but when using the Home Page app I am running into an issue where none are extracted (don't show up in popular fields or in the field drop-down). Even stranger, when searching in the home app I am getting results when specifying fields only for some events whereas others don't match. This is resolved by spath-ing the fields I want but that is a little tedious and strange. Has anyone else seen this issue or have any possible solutions?
Thank you for your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have tried adding this to the local.meta file in the Search and Reporting app but that did not seem to fix the issue. Am I possible missing something?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you perhaps share a bit more info on the type of data and the configuration used to enable the extractions etc.?
And what exactly do you mean by the "Home Page app"? Is that something you developed?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi yes let me elaborate - right now we have extractions setup to happen on the indexers meaning that the field extraction is happening at index time and not at search time on the search heads. The Home Page app is just an app that is setup almost exactly as the Search & Reporting app with the addition of a standard welcome page. I created mine using this app: https://splunkbase.splunk.com/app/2991/. Just to reiterate again - I am getting field extractions when I use the Search & Reporting app but when I use the similar searching feature in the welcome page app, I am not getting fields extracted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you share some config of how you have defined those index time extractions? Because if they are really index time, I don't see how there could be a difference between apps. With search time extractions this can be explained (as in the comment below).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false
NO_BINARY_CHECK = true
TRUNCATE = 0
TIMESTAMP_FIELDS = created_on
TZ = UTC
category = Structured
description = metric stuff
disabled = false
pulldown_type = true
MAX_EVENTS = 1024
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a sample config in the props.conf on an indexer.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
