Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why does creating a new field sometimes require restarting Splunk services?

sgoodman26
Explorer
‎10-09-2018 01:50 PM

We are having an issue when creating a New Field by using RegEx instead of the Field Extractor. The field itself may not show up at all without restarting Splunk Services. We've made sure that the top of the fields display, and that all fields are selected. We've even made sure of the same thing when selecting fields. We have confirmed that the field itself is searchable in Settings>Field Extractions and is listed as Global or App, and not Private.

This is a intermittent issue, and does not happen each time we create a new field. When it does this happen? Sometimes waiting 10-15 minutes solves the issue. Usually after the hour mark, we will restart Splunk Services and the field will appear within 5 minutes.

0 Karma
Reply

woodcock
Esteemed Legend
‎10-11-2018 05:03 PM

I can't say why this delay happens, but hitting the _bump endpoint usually works and hitting the refresh endpiont always works:

http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/CustomizationOptions#Clear_client_and...

0 Karma
Reply

iamarkaprabha
Contributor
‎10-10-2018 11:48 AM

I think it's because of architecture issue.
I agree with Daljeanis , it was waiting for the new knowledge object to be propagated across the search head cluster.

Reply

DalJeanis
Legend
‎10-10-2018 07:25 AM

Are your search heads clustered? If so, then you are just waiting for the new knowledge object to be propagated across the search head cluster.

Making the field "selected" should have no effect on whether it is extracted. We did a quick test to verify, by finding an arbitrary record in verbose mode, changing an arbitrary field to "selected", then switching back to fast mode and the pield disappeared.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...