Splunk Search

What's the lifespan of the new created fields? Will be available after re-login and available to all users?

sophiacyh
Explorer

Hello Splunk Community!

Regarding extract new fields in splunk search,

sophiacyh_0-1653300660415.png

what's the lifespan of the new created fields? will be available after re-login and available to all users? and can be easily removed later?

thank you in advance!

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @sophiacyh.,

yes exactly: a field created at Search Time is created all the times a search is executed and lives with the search.

You can have field extracted in the search (e.g. using a regex) fields defined for a sourcetype, but in both cases they are created when the search is running and remain until the results are accessible.

Let me know if I can help you more on this topic, otherwise, please, accept one answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S. Karma Points are appreciated by all the Contributors 😉

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @sophiacyh,

you question isn't so clear for me, especially I don't understand what you mean with "lifespan".

a field can be:

  • auto extracted by Splunk when it has the format fieldname=value.
  • a field is extracted by a TA or in a custom field extraction,
  • in a search using regex.

In the first case, all the users that access the data can see the field,

in the second case, visibility depends on the grants associated to the TA or to the field extraction.

In the thirs case, all the people that execute the search can see the field.

Remember that a field created at search time (not index or sourcetype or host or source) are visibile only in Verbose Mode or,when a field is moved to interesting fields, also in Smart Mode but not in Fast Mode.

Ciao.

Giuseppe

sophiacyh
Explorer

thank you for ur answer @gcusello , the one im interested in is the 2nd one: custom field extraction

Just to clarify further, when you say "a field created at search time", does that mean that once the search refreshes or done in another environment, the extracted field will not exist anymore?

thank you in advance !

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sophiacyh.,

yes exactly: a field created at Search Time is created all the times a search is executed and lives with the search.

You can have field extracted in the search (e.g. using a regex) fields defined for a sourcetype, but in both cases they are created when the search is running and remain until the results are accessible.

Let me know if I can help you more on this topic, otherwise, please, accept one answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S. Karma Points are appreciated by all the Contributors 😉

venky1544
Builder

HI @sophiacyh 

when  a field created at search time if you are saving that search in a dashboard or report or alert the field is not lost  even if you refresh and relogin .and to make it permanent you can use the Interactive Field Extractor and what do you mean by other environment can you share some thoughts on it

 

Note:If it helps karma points are appreciated/if it resolves solution acceptance is appreciated 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...