Getting Data In

field extraction disappeard, could this happen after a reinstall of the forwarder

Mike6960
Path Finder

Hi, one of our admins has reinstalled a fowarder. No we have issues with data that is not coming through anymore but it also seems that field extractions I have made earlier are lost while the initial data is not. Is this possible after a reinstall or can this have another cause? I am not sure where splunk stores the data of the extractions etc.

0 Karma

nickhills
Ultra Champion

I presume you mean a universal forwarder?

When it was reinstalled, was it configured to use your deployment server - If not it wont have any output configuration, which could be one reason you are not getting data from it anymore.

With regard to extractions - no.
Reinstalling a UF should have no impact on field extractions, because a UF only sends data to Heavy Forwarders or indexers. If you have index extractions, this is where these take place, and the config will be in your props/transforms on the HF/IDX.
Search time extraction are configured on the search head, so is even further removed from the UF.

If my comment helps, please give it a thumbs up!
0 Karma

Mike6960
Path Finder

Hi @nickhillscpl, thanks for your response. I have fieldextractions throug the 'field extractor' under 'settings'.
Are these 'search time extractions' ?

For your other comments i wil contact the admin because this is not my cup of tea, i was only wondering.

0 Karma

nickhills
Ultra Champion

Yes, these will exist only on the search head.

Its not unheard of for them to stop working but normally its for one of the following reasons, in descending likelihood.

  • The extractions were created in one app, and you are trying to use them from another app.
  • Someone else has edited them, or moved them.
  • Permission have been changed/wrong user
  • The source data format has changed
If my comment helps, please give it a thumbs up!
0 Karma

Mike6960
Path Finder

That's why I am lost, none of the above is the case. Then again, whether someone has changed them is not something I can check

0 Karma

nickhills
Ultra Champion

Your not by chance searching in Fast mode are you?
Fast mode will skip listing extracted fields (on the left pane) in favour of speed.
Verbose mode will list out all of the extractions which match your data.

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...