Re: Why is there a delay in applying field extract...

phemmer · ‎12-12-2016

Whenever I update a field extraction, both from the search head UI field extraction helper, and via props.conf or transforms.conf, it always takes several minutes before the changes take effect.

Why?
Is there any way to speed it up?
Is there anything to monitor in the splunk logs (_internal index) to know when the update has taken effect so I don't have to just rerun the search over and over.

Some possibly relevant details:
Version 6.5.0
Search head clustering in use
props.conf/transforms.conf changes applied from a search head deployer node, and pushed via splunk apply shcluster-bundle.

jeremyhagand61 · ‎09-16-2019

I have this problem too

woodcock · ‎07-19-2018

You can try a bump or a refresh but the latter will probably take longer than waiting:

http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/CustomizationOptions

dd_msearles · ‎07-19-2018

Did you ever get to the bottom of this? I've always wondered about this and found it annoying.

snoobzilla · ‎12-12-2016

Don't know direct answer to your question. I do know that adding | extract reload=true to your searches will force reload at search time which is helpful if the problem statement is troubleshooting field extractions.

tb5821 · ‎08-01-2017

I downvoted this post because doesn't work

phemmer · ‎12-12-2016

Has no effect 😞

tb5821 · ‎08-01-2017

agree - doesn't seem to work.

snoobzilla · ‎12-12-2016

Are the extractions it has no effect on working eventually?

phemmer · ‎12-12-2016

Yes.

snoobzilla · ‎12-12-2016

😞

Why is there a delay in applying field extraction updates?

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!