Solved: Field Extractor and non-default indicies

eegilbert · ‎03-19-2014

Hello,

I'm using the 2.1 version of the Field Extractor app and it doesn't appear to like non-default indexes:

Unable to initialize workflow
information: Ignoring unknown index
'indexname')

Stacktrace: Traceback (most recent
call last): File "", line 397,
in initInfoFromWorkflow File
"", line 494, in
setCurrentIndex ModelException:
Ignoring unknown index 'indexname'

Please note indexname is my generic index name for this example.

carasso · ‎05-21-2014

I fixed the problem. Update the app to 2.3.

I just updated the Field Extractor app to work in distributed environments, so it works with indexes not on the search head.

 http://apps.splunk.com/app/494/

Let me know if you see any problems.

View solution in original post

carasso · ‎05-21-2014

I fixed the problem. Update the app to 2.3.

I just updated the Field Extractor app to work in distributed environments, so it works with indexes not on the search head.

 http://apps.splunk.com/app/494/

Let me know if you see any problems.

scsr_1 · ‎04-11-2014

My network data has its own index and I am receiving the same error.

Unable to initialize workflow information: Ignoring unknown index 'index_name')

I checked with our Splunk Admin and he said the permissions are correct.

carasso · ‎03-19-2014

Is it possible the user running the field extractor does not have permission to use that index?

eegilbert · ‎03-20-2014

Hello, I did wonder about this, however I'm using splunk with admin level permissions. I've even tried setting the app for read/write for all as a test and still get the same result.

Field Extractor and non-default indicies

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases