Getting Data In

field extraction disappeard, could this happen after a reinstall of the forwarder

Mike6960
Path Finder

Hi, one of our admins has reinstalled a fowarder. No we have issues with data that is not coming through anymore but it also seems that field extractions I have made earlier are lost while the initial data is not. Is this possible after a reinstall or can this have another cause? I am not sure where splunk stores the data of the extractions etc.

0 Karma

nickhills
Ultra Champion

I presume you mean a universal forwarder?

When it was reinstalled, was it configured to use your deployment server - If not it wont have any output configuration, which could be one reason you are not getting data from it anymore.

With regard to extractions - no.
Reinstalling a UF should have no impact on field extractions, because a UF only sends data to Heavy Forwarders or indexers. If you have index extractions, this is where these take place, and the config will be in your props/transforms on the HF/IDX.
Search time extraction are configured on the search head, so is even further removed from the UF.

If my comment helps, please give it a thumbs up!
0 Karma

Mike6960
Path Finder

Hi @nickhillscpl, thanks for your response. I have fieldextractions throug the 'field extractor' under 'settings'.
Are these 'search time extractions' ?

For your other comments i wil contact the admin because this is not my cup of tea, i was only wondering.

0 Karma

nickhills
Ultra Champion

Yes, these will exist only on the search head.

Its not unheard of for them to stop working but normally its for one of the following reasons, in descending likelihood.

  • The extractions were created in one app, and you are trying to use them from another app.
  • Someone else has edited them, or moved them.
  • Permission have been changed/wrong user
  • The source data format has changed
If my comment helps, please give it a thumbs up!
0 Karma

Mike6960
Path Finder

That's why I am lost, none of the above is the case. Then again, whether someone has changed them is not something I can check

0 Karma

nickhills
Ultra Champion

Your not by chance searching in Fast mode are you?
Fast mode will skip listing extracted fields (on the left pane) in favour of speed.
Verbose mode will list out all of the extractions which match your data.

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...