- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit or delete a custom field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have just created a field, and realized that is not what I want. I would like either delete it and create a new one, or update it. How can I do it?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How did you create you field extraction?
If you used the IFX (Interactive Field eXtractor), you can do this in...
"Manager">>"Fields">>"Field Extractions">> Choose field for modifying/deleting.
If you did this in props.conf (you can also remove those created in IFX) this way too... you can find the props.conf files containing the extractions and modify/hash/remove the extraction and restart the Splunk services. The props.conf file will be in one of the following locations...
$SPLUNK_HOME/etc/system/default/props.conf
$SPLUNK_HOME/etc/system/local/props.conf
$SPLUNK_HOME/etc/system/apps/<appName>/props.conf
$SPLUNK_HOME/etc/system/apps/<appName>/props.conf
Regards,
Matt
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How did you create you field extraction?
If you used the IFX (Interactive Field eXtractor), you can do this in...
"Manager">>"Fields">>"Field Extractions">> Choose field for modifying/deleting.
If you did this in props.conf (you can also remove those created in IFX) this way too... you can find the props.conf files containing the extractions and modify/hash/remove the extraction and restart the Splunk services. The props.conf file will be in one of the following locations...
$SPLUNK_HOME/etc/system/default/props.conf
$SPLUNK_HOME/etc/system/local/props.conf
$SPLUNK_HOME/etc/system/apps/<appName>/props.conf
$SPLUNK_HOME/etc/system/apps/<appName>/props.conf
Regards,
Matt
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found answer:
In Splunk Web, you navigate to the Field extractions page by selecting Manager > Fields > Field extractions.
For more information, see "Use the Field extractions page in Manager".
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
