Splunk Search

how to know the already extracted fields of any source type

Path Finder

I uploaded a .csv file in two source types and forgot which fields i extracted and what name i given to extracted fields.
I used different names for same attribute in both source types.

is there a way to get know which name was given to which attribute while extracting fields?

0 Karma


@sudarshan391, You can run the following REST search in Splunk. Provided you have access.

| rest /serviceNS/-/-/props/extractions
| search eai.acl.app="<YourAppName>" AND author="<author>" AND stanza="<YourSourceType>"
| table attribute eai.acl.app stanza title type value author eai.acl.owner eai.acl.sharing eai.acl.perm.read eai.acl.perm.write

If you have a fixed App name and owner you can filter in the first query itself for example following looks at search app for admin owner:

| rest /serviceNS/admin/search/props/extractions

Since field extractions can be created based on source, host and sourcetype. Please use stanza filter to search for specific sourcetype, if you are aware that extractions have been created for specific sourcetype. Second pipe should be completely based on your needs.

| makeresults | eval message= "Happy Splunking!!!"
0 Karma


| inputlookup lookupname.csv
and see the fieldnames.

0 Karma

Path Finder

Hi, thanks for your quick reply. i tried above query but the result is blank.

i replaced lookupname.csv with my csv file name. I also put the index and source type before the | inputlookup

I tried below queries but no success. am i doing something wrong? sorry i am new to splunk.

| inputlookup Feb-March-Apr-May.csv
index=created_ticket sourcetype=created_ticket | inputlookup Feb-March-Apr-May.csv

0 Karma



If you go into 'Settings > Fields > Field Extractions' then search for the sourcetypes you specified on upload it should return all the extractions present for those sourcetypes. The results should be in the format 'sourcetype : extraction name'.

0 Karma

Path Finder

Hi, yes you are right it is showing the 'sourcetype : extraction name' but what i am looking is what is inside in those extraction. means i want to remember which fields i was extracted and what name i giving to those extracted fields.
Thanks for your reply.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...