Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Field Extractions Vary Per App

mrstrozy
Path Finder
‎11-02-2018 07:28 AM

I am running into this very strange issue. Our splunk instance is setup to extract fields at index time. What I am seeing is that the extractions are successful when using the Search & Reporting app, but when using the Home Page app I am running into an issue where none are extracted (don't show up in popular fields or in the field drop-down). Even stranger, when searching in the home app I am getting results when specifying fields only for some events whereas others don't match. This is resolved by spath-ing the fields I want but that is a little tedious and strange. Has anyone else seen this issue or have any possible solutions?

Thank you for your help!

0 Karma
Reply

kmorris_splunk
Splunk Employee
Splunk Employee
‎11-02-2018 09:11 AM

See this post:

https://answers.splunk.com/answers/86/how-do-i-share-all-of-the-field-extractions-defined-in-a-given...

0 Karma
Reply

mrstrozy
Path Finder
‎11-05-2018 06:27 AM

I have tried adding this to the local.meta file in the Search and Reporting app but that did not seem to fix the issue. Am I possible missing something?

0 Karma
Reply

FrankVl
Ultra Champion
‎11-02-2018 07:43 AM

Can you perhaps share a bit more info on the type of data and the configuration used to enable the extractions etc.?

And what exactly do you mean by the "Home Page app"? Is that something you developed?

0 Karma
Reply

mrstrozy
Path Finder
‎11-05-2018 06:26 AM

Hi yes let me elaborate - right now we have extractions setup to happen on the indexers meaning that the field extraction is happening at index time and not at search time on the search heads. The Home Page app is just an app that is setup almost exactly as the Search & Reporting app with the addition of a standard welcome page. I created mine using this app: https://splunkbase.splunk.com/app/2991/. Just to reiterate again - I am getting field extractions when I use the Search & Reporting app but when I use the similar searching feature in the welcome page app, I am not getting fields extracted.

0 Karma
Reply

FrankVl
Ultra Champion
‎11-05-2018 06:56 AM

Can you share some config of how you have defined those index time extractions? Because if they are really index time, I don't see how there could be a difference between apps. With search time extractions this can be explained (as in the comment below).

0 Karma
Reply

mrstrozy
Path Finder
‎11-05-2018 07:48 AM

DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false
NO_BINARY_CHECK = true
TRUNCATE = 0
TIMESTAMP_FIELDS = created_on
TZ = UTC
category = Structured
description = metric stuff
disabled = false
pulldown_type = true
MAX_EVENTS = 1024

0 Karma
Reply

mrstrozy
Path Finder
‎11-05-2018 07:48 AM

This is a sample config in the props.conf on an indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...