Splunk Search

What's the lifespan of the new created fields? Will be available after re-login and available to all users?

sophiacyh
Explorer

Hello Splunk Community!

Regarding extract new fields in splunk search,

sophiacyh_0-1653300660415.png

what's the lifespan of the new created fields? will be available after re-login and available to all users? and can be easily removed later?

thank you in advance!

Labels (3)
0 Karma
1 Solution

gcusello
Legend

Hi @sophiacyh.,

yes exactly: a field created at Search Time is created all the times a search is executed and lives with the search.

You can have field extracted in the search (e.g. using a regex) fields defined for a sourcetype, but in both cases they are created when the search is running and remain until the results are accessible.

Let me know if I can help you more on this topic, otherwise, please, accept one answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S. Karma Points are appreciated by all the Contributors 😉

View solution in original post

gcusello
Legend

Hi @sophiacyh,

you question isn't so clear for me, especially I don't understand what you mean with "lifespan".

a field can be:

  • auto extracted by Splunk when it has the format fieldname=value.
  • a field is extracted by a TA or in a custom field extraction,
  • in a search using regex.

In the first case, all the users that access the data can see the field,

in the second case, visibility depends on the grants associated to the TA or to the field extraction.

In the thirs case, all the people that execute the search can see the field.

Remember that a field created at search time (not index or sourcetype or host or source) are visibile only in Verbose Mode or,when a field is moved to interesting fields, also in Smart Mode but not in Fast Mode.

Ciao.

Giuseppe

sophiacyh
Explorer

thank you for ur answer @gcusello , the one im interested in is the 2nd one: custom field extraction

Just to clarify further, when you say "a field created at search time", does that mean that once the search refreshes or done in another environment, the extracted field will not exist anymore?

thank you in advance !

0 Karma

gcusello
Legend

Hi @sophiacyh.,

yes exactly: a field created at Search Time is created all the times a search is executed and lives with the search.

You can have field extracted in the search (e.g. using a regex) fields defined for a sourcetype, but in both cases they are created when the search is running and remain until the results are accessible.

Let me know if I can help you more on this topic, otherwise, please, accept one answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S. Karma Points are appreciated by all the Contributors 😉

venky1544
Contributor

HI @sophiacyh 

when  a field created at search time if you are saving that search in a dashboard or report or alert the field is not lost  even if you refresh and relogin .and to make it permanent you can use the Interactive Field Extractor and what do you mean by other environment can you share some thoughts on it

 

Note:If it helps karma points are appreciated/if it resolves solution acceptance is appreciated 

0 Karma
Get Updates on the Splunk Community!

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...