Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- For multiple, but different field extractions on t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi fellow Splunkers!
I'm curious to know what field extraction takes precedence if a field extraction is defined by the admin and shared with users and a user by himself created a second extraction slightly different in syntax for the same eventsource.
What extraction-definition takes precedence?
Thanks in advance!
Kind Regards,
pyro_wood
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Pyro!
In case you have a 'conflicting' extraction, admin will win. In the end it comes down to file precedence. There's a clear explanation of this in the manual, you can find it here:
http://docs.splunk.com/Documentation/Splunk/6.1/admin/Wheretofindtheconfigurationfiles
Specifically your user/admin battle is explained here:
http://dev.splunk.com/view/webframework-developapps/SP-CAAAE6T
However, try to avoid this if you can, because it is not always clear to the user what setting is applied. (could save you a lot of discussion 🙂
Cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Pyro!
In case you have a 'conflicting' extraction, admin will win. In the end it comes down to file precedence. There's a clear explanation of this in the manual, you can find it here:
http://docs.splunk.com/Documentation/Splunk/6.1/admin/Wheretofindtheconfigurationfiles
Specifically your user/admin battle is explained here:
http://dev.splunk.com/view/webframework-developapps/SP-CAAAE6T
However, try to avoid this if you can, because it is not always clear to the user what setting is applied. (could save you a lot of discussion 🙂
Cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you renems 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
