Hi, one of our admins has reinstalled a fowarder. No we have issues with data that is not coming through anymore but it also seems that field extractions I have made earlier are lost while the initial data is not. Is this possible after a reinstall or can this have another cause? I am not sure where splunk stores the data of the extractions etc.
I presume you mean a universal forwarder?
When it was reinstalled, was it configured to use your deployment server - If not it wont have any output configuration, which could be one reason you are not getting data from it anymore.
With regard to extractions - no.
Reinstalling a UF should have no impact on field extractions, because a UF only sends data to Heavy Forwarders or indexers. If you have index extractions, this is where these take place, and the config will be in your props/transforms on the HF/IDX.
Search time extraction are configured on the search head, so is even further removed from the UF.
Hi @nickhillscpl, thanks for your response. I have fieldextractions throug the 'field extractor' under 'settings'.
Are these 'search time extractions' ?
For your other comments i wil contact the admin because this is not my cup of tea, i was only wondering.
Yes, these will exist only on the search head.
Its not unheard of for them to stop working but normally its for one of the following reasons, in descending likelihood.
That's why I am lost, none of the above is the case. Then again, whether someone has changed them is not something I can check
Your not by chance searching in Fast mode are you?
Fast mode will skip listing extracted fields (on the left pane) in favour of speed.
Verbose mode will list out all of the extractions which match your data.