Splunk Search

What's the lifespan of the new created fields? Will be available after re-login and available to all users?

sophiacyh
Explorer

Hello Splunk Community!

Regarding extract new fields in splunk search,

sophiacyh_0-1653300660415.png

what's the lifespan of the new created fields? will be available after re-login and available to all users? and can be easily removed later?

thank you in advance!

Labels (3)
0 Karma
1 Solution

gcusello
Legend

Hi @sophiacyh.,

yes exactly: a field created at Search Time is created all the times a search is executed and lives with the search.

You can have field extracted in the search (e.g. using a regex) fields defined for a sourcetype, but in both cases they are created when the search is running and remain until the results are accessible.

Let me know if I can help you more on this topic, otherwise, please, accept one answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S. Karma Points are appreciated by all the Contributors 😉

View solution in original post

gcusello
Legend

Hi @sophiacyh,

you question isn't so clear for me, especially I don't understand what you mean with "lifespan".

a field can be:

  • auto extracted by Splunk when it has the format fieldname=value.
  • a field is extracted by a TA or in a custom field extraction,
  • in a search using regex.

In the first case, all the users that access the data can see the field,

in the second case, visibility depends on the grants associated to the TA or to the field extraction.

In the thirs case, all the people that execute the search can see the field.

Remember that a field created at search time (not index or sourcetype or host or source) are visibile only in Verbose Mode or,when a field is moved to interesting fields, also in Smart Mode but not in Fast Mode.

Ciao.

Giuseppe

sophiacyh
Explorer

thank you for ur answer @gcusello , the one im interested in is the 2nd one: custom field extraction

Just to clarify further, when you say "a field created at search time", does that mean that once the search refreshes or done in another environment, the extracted field will not exist anymore?

thank you in advance !

0 Karma

gcusello
Legend

Hi @sophiacyh.,

yes exactly: a field created at Search Time is created all the times a search is executed and lives with the search.

You can have field extracted in the search (e.g. using a regex) fields defined for a sourcetype, but in both cases they are created when the search is running and remain until the results are accessible.

Let me know if I can help you more on this topic, otherwise, please, accept one answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S. Karma Points are appreciated by all the Contributors 😉

venky1544
Contributor

HI @sophiacyh 

when  a field created at search time if you are saving that search in a dashboard or report or alert the field is not lost  even if you refresh and relogin .and to make it permanent you can use the Interactive Field Extractor and what do you mean by other environment can you share some thoughts on it

 

Note:If it helps karma points are appreciated/if it resolves solution acceptance is appreciated 

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...