Splunk Search

Problems with Field Extraction where Source has a Forward Slash in it


I am trying to create a field extraction for events from the source:

I am able to save it, but when I go to set permissions on it (or edit/move it), I get the following in Splunk web:
Splunk could not perform action for resource data/props/extractions (404, u'Splunk cannot find "data/props/extractions/source::WinEventLog:Microsoft-Windows-TerminalServices-Gateway/Operational : EXTRACT-TestRDG". [HTTP 404]; [{\'type\': \'ERROR\', \'text\': \'Could not find object id=source%3A%3AWinEventLog%3AMicrosoft-Windows-TerminalServices-Gateway/Operational : EXTRACT-TestRDG\', \'code\': None}]')

I am able to delete it though.

It looks like the forward slash in the source is the problem.

Has anyone encountered this before or know of a work around for it?

0 Karma

Esteemed Legend

They "easy" answer is to avoid using source and instead sourcetype. If you must use source, then try using source = ...Operational I tested it and this works.


Hello, i am getting the same error but i am using source type that has a forward slash. See error below:

Splunk could not perform action for resource data/props/extractions (404, 'Splunk cannot find "data/props/extractions//nrc/prod/rtp/bi/api : EXTRACT-Exception_Code". [HTTP 404]; [{\'type\': \'ERROR\', \'code\': None, \'text\': \'Could not find object id=/nrc/prod/rtp/bi/api : EXTRACT-Exception_Code\'}]')

I notice that there are two // in the path leading up to the props entry....

The odd thing is that the extract works, I just cannot edit the entry from the fields extraction page. I need to make the permissions global to all users.




0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...