Tracing field extractions in multi-user environmen...

responsys_cm · ‎06-21-2012

Is there a way to figure how which config file is causing a particular field extraction at search time?

Thx.

C

Drainy · ‎06-23-2012

No. But you can see which extractions have been accepted by Splunk and from what application.
At the command line from SPLUNK_HOME/bin run the following command;

./splunk cmd btool list --debug

Where is props, transforms etc. In your case those will most likely be the two to look at. On *nix systems you could do splunk cmd btool props list --debug >> output to dump the output to a file to make it easier to review. All entries will have the APP that they are present within prefixed to each line.

Otherwise, if it is a search time extraction you can comment out all of the REPORT or EXTRACT lines in props and slowly re-introduce them. On 4.3 each time you run a search it will reload the search time extractions so there is no need to restart each time you comment or uncomment one line.

Tracing field extractions in multi-user environment

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation