Splunk Search

removed extracted fields still remain on specific index!

mehrdad_2000
Builder

Hi, 

I create some field extraction in the past and remove them, but still on specific index when I use this spl show them and detect them in my log.

index="my-index" | table duration id 

it will detect duration and id!

while I remove those field extractetion.

FYI: not show on left side of search result those field, and when i use field extraction wizard in exist field does not exist anything!

 

Any idea?

thanks

Labels (5)
0 Karma

codebuilder
Influencer

It sounds like you may be misunderstanding field extraction.

When you send data to Splunk via a forwarder, it is tagged with the sourcetype that you defined/created. That's used to identify the fields contained within your data (events) when Splunk indexes the data.

Field extraction occurs when you search the data, not when it is indexed. It is possible to modify extraction for NEW events coming in, but you cannot go back and redefine that sourcetype for existing data. Once it has been indexed it cannot be changed.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

mehrdad_2000
Builder

I try to remove datasource first, but still remain.

How about summary index?

it has stash datasource by default, i try to remove it too but still fields remain!
any idea?

0 Karma

codebuilder
Influencer

I'm not sure what you mean by "remove datasource". Do you mean sourcetype?

If so, and again, you cannot change data once it has been indexed. You would have to delete it all and re-index it using a modified or different sourcetype.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

mehrdad_2000
Builder

Is there any difference between field extraction on summary index (that use sourcetype stash) with other sourcetype?

when i create field extraction on stash sourcetype this problem occurred!

any idea?

 Thanks, 

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!