Re: Old Index Old Sourcetype New Field - Search Is...

hkchew · ‎01-21-2019

Hi all,

I have used back the old index & sourcetype but i have re-created new field names for my dashboard.
when using the dashboard, i will see the new fields but the rest of my team will see the old fields.
How can I resolve this? Please advise.
Thank you very much

Eg.
old index = "ABC"
old sourcetype = "DDD"
old fieldname = "DDD_XXX"

old index = "ABC"
old sourcetype = "DDD"
new fieldname = "DDD_YYY"

renjith_nair · ‎01-21-2019

@hkchew , have you set the permissions to the new fields so that others can see ?

---
What goes around comes around. If it helps, hit it with Karma 🙂

dkeck · ‎01-21-2019

HI

could it be that you did not change the permissions of your new field extractions

Check them in Fields » Field extractions » Permissions

hkchew · ‎01-21-2019

Hi dkeck,

permissions have been set to "global".

dkeck · ‎01-22-2019

Ok, please check if the users have a field extraction in their users folder for your sourcetype/source/host

/opt/splunk/etc/users/username/appname/local/props.conf

sometimes this could interfere with other extractions, when then refer to the same name or field.

Also check if you have these new extractions within your users folder, because then they have not been shared with others.

Old Index Old Sourcetype New Field - Search Issues

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...