Splunk Search

Someone else configured field extractions, but I would like to delete some of them. Where do I find them?

crazyeva
Contributor

Hi Guys

I am trying to delete some Fields configured by someone else, but I can't find where they are.
First of all, they are Chinese Characters. I want to replace them with Az.

I searched in Splunk Web, "Field extractions" with the sourcetype name or any of the field names, but nothing found. Then I grepped all the *.conf from $SPLUNK_HOME$, but no result returned.
I know they are normally in props.conf or transforms.conf. I checked every one of them, but failed to find anything. However, the FIELDs are there extracted when I do the search!

Where else could they be?
Thank you!

0 Karma

muzicman61
New Member

I see this is an old post but I was facing the same issue. I found if i went to Settings/Fields/Field Extractions I was able to view all the fields anyone has created. Then I was able to delete what I no longer needed. You may have to be a power user to do this but does not require console access.

0 Karma

the_wolverine
Champion

If the delete action doesn't appear in UI then you'll have to check the props.conf for each app on the searcher and remove it manually from the file. You may be able to delete field extractions using REST as well.

mosman_splunk
Splunk Employee
Splunk Employee

they might be under spacific apps so you have to go to $splunkhome/etc/apps/appname

to find out the app holding the information use btool
$splunkhome/bin/splunk btool props list --debug | more
$splunkhome/bin/splunk btool transform list --debug | more

good luck

0 Karma

crazyeva
Contributor

thank you!
but I still can not find those fields defination.
and this command can only display conf in ../etc/system and ../etc/apps, but not in ../etc/users?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...