Solved: Why does a new field extraction not work on the se...

BP9906 · ‎03-24-2015

Running the latest Splunk 6.2.2 with search head clustering. I found that when I create a new search field extraction, it doesnt immediately start to work on the current search head that I'm on. It will start working on the other cluster peers after replication grabs it (pretty quick).

Any idea why the current cluster peer wont start using it immediately?

BP9906 · ‎03-24-2015

After some experimenting, I found that after completing the new field extraction, if I close out of what I was doing and go to a fresh search window (ie flashtimeline) then it would have the new extractions kick in. Odd.

View solution in original post

BP9906 · ‎03-24-2015

After some experimenting, I found that after completing the new field extraction, if I close out of what I was doing and go to a fresh search window (ie flashtimeline) then it would have the new extractions kick in. Odd.

strangelaw · ‎03-08-2016

Actually, I have similar kind of issue BUT my symptoms are worse 🙂

2 Search Heads on Cluster
Made a Field extraction on node 1 (captain), sourcetype syslog:myown
Took while to show up, works on node 1 perfectly.
Node 2 - it replicates the field extraction, but never allows to use it/stays on list but does not invoke on search.

Anyone seen similar effect? I found no use for closing windows on neither head(s).

Why does a new field extraction not work on the search head just I created it on, but works immediately on other members in the search head cluster?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms