Why does creating a new field sometimes require re...

sgoodman26 · ‎10-09-2018

We are having an issue when creating a New Field by using RegEx instead of the Field Extractor. The field itself may not show up at all without restarting Splunk Services. We've made sure that the top of the fields display, and that all fields are selected. We've even made sure of the same thing when selecting fields. We have confirmed that the field itself is searchable in Settings>Field Extractions and is listed as Global or App, and not Private.

This is a intermittent issue, and does not happen each time we create a new field. When it does this happen? Sometimes waiting 10-15 minutes solves the issue. Usually after the hour mark, we will restart Splunk Services and the field will appear within 5 minutes.

woodcock · ‎10-11-2018

I can't say why this delay happens, but hitting the _bump endpoint usually works and hitting the refresh endpiont always works:

http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/CustomizationOptions#Clear_client_and...

iamarkaprabha · ‎10-10-2018

I think it's because of architecture issue.
I agree with Daljeanis , it was waiting for the new knowledge object to be propagated across the search head cluster.

DalJeanis · ‎10-10-2018

Are your search heads clustered? If so, then you are just waiting for the new knowledge object to be propagated across the search head cluster.

Making the field "selected" should have no effect on whether it is extracted. We did a quick test to verify, by finding an arbitrary record in verbose mode, changing an arbitrary field to "selected", then switching back to fast mode and the pield disappeared.

Why does creating a new field sometimes require restarting Splunk services?

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor