Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does field extraction only work when "| extract reload=T" is added to search?

muebel
SplunkTrust
SplunkTrust
‎12-28-2015 12:40 PM

I've got a fairly simple field extraction specified by a props.conf REPORT directive pointed to a transforms.conf spec. The REPORT directive is within a sourcetype spec'd stanza.

The transforms.conf spec has a SOURCE_KEY value that is a autokv extracted field that is null in some events (i.e. "key=" as a null while positive events are key=value). The only other directive for this stanza is the REGEX, which works via rex command.

With this config set, and after a splunk restart, the extracted field fails to show up in search results on the sourcetype. However, if I run the same search, and append a | extract reload=T to the end, the field shows up.

This is very confusing. Does anybody have any explanation as to what could be going on here?

Reply

tprz
Explorer
‎04-09-2020 04:43 PM

I got this figured out for my instance.

I had a user who built transforms based field extractions that targeted the "log" field that was being extracted from the json formatted data.

The extraction worked with | extract reload=true, but not without it.

My fix was to go under that sourcetype in props and manually extract the json formatted fields before the calls to the transforms happened

props.conf
KV_MODE = json
REPORT-user-extract = whatever
REPORT-user-extract2 = whatever2

0 Karma
Reply

martynoconnor
Communicator
‎06-03-2019 05:09 PM

Extract reload=t forces a refresh of props and transforms. When you make changes to props and transforms in most cases you need a restart of Splunk to ensure those changes are applied. extract reload=t is a way of circumventing that. You will likely find that a simple restart of Splunk means you don't need to use this workaround.

0 Karma
Reply

woodcock
Esteemed Legend
‎08-28-2016 03:36 PM

This directive causes an immediate single-session (for you, not necessarily Search-Head-wide) reload of all of your Search Head KOs. This is particularly useful if you are not an admin and cannot force a reboot of the Search Head and cannot call the bump REST endpoint, both of which will also cause a (global) reload of the KOs.

In your case, the key thing to note is that you should only need to do this ONE TIME to pull in the KOs. Once your new Search-Time KOs are functioning, you can stop using it, because the work has been done.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-27-2016 05:06 AM

Are the props and transforms on the search head in the app that you are searching from?

Report- is a search time extraction and needs to be in the app or exported globally and needs to be on the search head.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-27-2016 05:08 AM

Oh sorry muebel, didn't see this was you... I'm sure you've already crossed these T's and dotted these I's

0 Karma
Reply

sundareshr
Legend
‎12-28-2015 12:55 PM

The problem is probably in your REGEX OR the order in which the extractions are being executed. Try using the btool to troubleshoot the order and see if that fixes your problem. You should almost never have to use the | extract reload=t directive.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...