I uploaded a .csv file in two source types and forgot which fields i extracted and what name i given to extracted fields.
I used different names for same attribute in both source types.
is there a way to get know which name was given to which attribute while extracting fields?
@sudarshan391, You can run the following REST search in Splunk. Provided you have access.
| rest /serviceNS/-/-/props/extractions
| search eai.acl.app="<YourAppName>" AND author="<author>" AND stanza="<YourSourceType>"
| table attribute eai.acl.app stanza title type value author eai.acl.owner eai.acl.sharing eai.acl.perm.read eai.acl.perm.write
If you have a fixed App name and owner you can filter in the first query itself for example following looks at search app for admin owner:
| rest /serviceNS/admin/search/props/extractions
Since field extractions can be created based on source, host and sourcetype. Please use stanza filter to search for specific sourcetype, if you are aware that extractions have been created for specific sourcetype. Second pipe should be completely based on your needs.
Hi,
run
| inputlookup lookupname.csv
and see the fieldnames.
Bye.
Giuseppe
Hi, thanks for your quick reply. i tried above query but the result is blank.
i replaced lookupname.csv with my csv file name. I also put the index and source type before the | inputlookup
I tried below queries but no success. am i doing something wrong? sorry i am new to splunk.
| inputlookup Feb-March-Apr-May.csv
index=created_ticket sourcetype=created_ticket | inputlookup Feb-March-Apr-May.csv
Hi,
If you go into 'Settings > Fields > Field Extractions' then search for the sourcetypes you specified on upload it should return all the extractions present for those sourcetypes. The results should be in the format 'sourcetype : extraction name'.
Hi, yes you are right it is showing the 'sourcetype : extraction name' but what i am looking is what is inside in those extraction. means i want to remember which fields i was extracted and what name i giving to those extracted fields.
Thanks for your reply.