Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

Field extraction

gudavasr
Path Finder
‎10-08-2012 03:33 PM

Hi,

I am using props.conf to do field extraction and looks like working fine.
But I don't see them in Search APP..However, I am seeing them in sample_log search head.
here is example:

props conf:

[sample_log]
EXTRACT- = USER\sHOME:\s(?\w:[\w|\|\w|\s]*)

when I use "Search APP"; I don't see the Extract field but if I open "sampledevsearchhead", I can see it. How can I configure the extract fields so that they can be seen in any App?

Thank You.

Tags (2)
0 Karma
Reply
Highlighted

Re: Field extraction

sdaniels
Splunk Employee
Splunk Employee
‎10-08-2012 04:35 PM

You'll want to go to Manager » Fields » Field extractions, find your extraction and change the permissions to be global.

Reply