Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Problems with Field Extraction where Source has a ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problems with Field Extraction where Source has a Forward Slash in it
I am trying to create a field extraction for events from the source:
WinEventLog:Microsoft-Windows-TerminalServices-Gateway/Operational
I am able to save it, but when I go to set permissions on it (or edit/move it), I get the following in Splunk web:
Splunk could not perform action for resource data/props/extractions (404, u'Splunk cannot find "data/props/extractions/source::WinEventLog:Microsoft-Windows-TerminalServices-Gateway/Operational : EXTRACT-TestRDG". [HTTP 404] https://127.0.0.1:8089/servicesNS//search/data/props/extractions/source%253A%253AWinEventLog%253AMic...; [{\'type\': \'ERROR\', \'text\': \'Could not find object id=source%3A%3AWinEventLog%3AMicrosoft-Windows-TerminalServices-Gateway/Operational : EXTRACT-TestRDG\', \'code\': None}]')
I am able to delete it though.
It looks like the forward slash in the source is the problem.
Has anyone encountered this before or know of a work around for it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
They "easy" answer is to avoid using source and instead sourcetype. If you must use source, then try using source = ...Operational I tested it and this works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, i am getting the same error but i am using source type that has a forward slash. See error below:
Splunk could not perform action for resource data/props/extractions (404, 'Splunk cannot find "data/props/extractions//nrc/prod/rtp/bi/api : EXTRACT-Exception_Code". [HTTP 404] https://127.0.0.1:8089/servicesNS/klynch/search/data/props/extractions/%252Fnrc%252Fprod%252Frtp%252...; [{\'type\': \'ERROR\', \'code\': None, \'text\': \'Could not find object id=/nrc/prod/rtp/bi/api : EXTRACT-Exception_Code\'}]')
I notice that there are two // in the path leading up to the props entry....
The odd thing is that the extract works, I just cannot edit the entry from the fields extraction page. I need to make the permissions global to all users.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
