Is there a way to determine everywhere that a field extraction is used? We're turning down an app and it just dawned on me that some of these Global extractions might be used elsewhere.
We'd like to identify them and move them into a neutral location
I'm guessing you want to know where all (saved/adhoc knowledge objects) where those globally extracted fields are being used. If so, you can use queries from below post, and adjust your where clause according to the field name whose usage you want to search.
Take a look at @martin_mueller 's excellent Knowledge Object Explorer:
https://splunkbase.splunk.com/app/2871/
It allows you to explore your fields, aliases, eventtypes and datamodels by application, so you can see which app they have been created in, and to what they apply.
I'm guessing you want to know where all (saved/adhoc knowledge objects) where those globally extracted fields are being used. If so, you can use queries from below post, and adjust your where clause according to the field name whose usage you want to search.
I'm certainly a Junior admin in Splunk, so please forgive my ignorance
If I do
| rest /servicesNS/-/-/data/props/extractions splunk_server=local|rename eai:acl.app as App |search App=MyApp
I certainly get a list of field extractions. However, I'm not seeing anything in here that ties those extractions to "where am I being used"
I'm probably just missing something obvious here.
I got it, sorry. Too early in the morning.
For anyone else finding this on a future search: In the results from the rest query above, Stanza field maps to Sourcetype.
Simply follow somesoni2's link above, to my previous question. Use your newly found Extraction sourcetypes in those queries, and you'll be set.
Mostly extractions are you used in props.conf,transforms.conf and sometimes they are used in inputs.conf as well.
Well normally global extractions are placed in /etc/system/local
If you want to see all the paths of a file say props.conf file then you can use locate command on the terminal
locate props.conf
and it will gibe you all the paths containing props.conf.
Let me know if this helps !