Splunk Search

Field Extractions Vary Per App

Path Finder

I am running into this very strange issue. Our splunk instance is setup to extract fields at index time. What I am seeing is that the extractions are successful when using the Search & Reporting app, but when using the Home Page app I am running into an issue where none are extracted (don't show up in popular fields or in the field drop-down). Even stranger, when searching in the home app I am getting results when specifying fields only for some events whereas others don't match. This is resolved by spath-ing the fields I want but that is a little tedious and strange. Has anyone else seen this issue or have any possible solutions?

Thank you for your help!

0 Karma

Splunk Employee
Splunk Employee
0 Karma

Path Finder

I have tried adding this to the local.meta file in the Search and Reporting app but that did not seem to fix the issue. Am I possible missing something?

0 Karma

Ultra Champion

Can you perhaps share a bit more info on the type of data and the configuration used to enable the extractions etc.?

And what exactly do you mean by the "Home Page app"? Is that something you developed?

0 Karma

Path Finder

Hi yes let me elaborate - right now we have extractions setup to happen on the indexers meaning that the field extraction is happening at index time and not at search time on the search heads. The Home Page app is just an app that is setup almost exactly as the Search & Reporting app with the addition of a standard welcome page. I created mine using this app: https://splunkbase.splunk.com/app/2991/. Just to reiterate again - I am getting field extractions when I use the Search & Reporting app but when I use the similar searching feature in the welcome page app, I am not getting fields extracted.

0 Karma

Ultra Champion

Can you share some config of how you have defined those index time extractions? Because if they are really index time, I don't see how there could be a difference between apps. With search time extractions this can be explained (as in the comment below).

0 Karma

Path Finder

DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
KV_MODE = none
AUTO_KV_JSON = false
NO_BINARY_CHECK = true
TRUNCATE = 0
TIMESTAMP_FIELDS = created_on
TZ = UTC
category = Structured
description = metric stuff
disabled = false
pulldown_type = true
MAX_EVENTS = 1024

0 Karma

Path Finder

This is a sample config in the props.conf on an indexer.

0 Karma