Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

removed extracted fields still remain on specific index!

indeed_2000
Motivator
‎09-22-2021 05:58 AM

Hi, 

I create some field extraction in the past and remove them, but still on specific index when I use this spl show them and detect them in my log.

index="my-index" | table duration id 

it will detect duration and id!

while I remove those field extractetion.

FYI: not show on left side of search result those field, and when i use field extraction wizard in exist field does not exist anything!

 

Any idea?

thanks

Labels (5)
Labels
0 Karma
Reply

codebuilder
Influencer
‎09-22-2021 01:23 PM

It sounds like you may be misunderstanding field extraction.

When you send data to Splunk via a forwarder, it is tagged with the sourcetype that you defined/created. That's used to identify the fields contained within your data (events) when Splunk indexes the data.

Field extraction occurs when you search the data, not when it is indexed. It is possible to modify extraction for NEW events coming in, but you cannot go back and redefine that sourcetype for existing data. Once it has been indexed it cannot be changed.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

indeed_2000
Motivator
‎09-22-2021 01:29 PM

I try to remove datasource first, but still remain.

How about summary index?

it has stash datasource by default, i try to remove it too but still fields remain!
any idea?

0 Karma
Reply

codebuilder
Influencer
‎09-22-2021 01:36 PM

I'm not sure what you mean by "remove datasource". Do you mean sourcetype?

If so, and again, you cannot change data once it has been indexed. You would have to delete it all and re-index it using a modified or different sourcetype.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

indeed_2000
Motivator
‎09-23-2021 01:18 AM

Is there any difference between field extraction on summary index (that use sourcetype stash) with other sourcetype?

when i create field extraction on stash sourcetype this problem occurred!

any idea?

 Thanks, 

0 Karma
Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...