October
23rd,
2015
As with almost every object in Splunk, field extractions have permissions. If you are creating awesome field extractions to make searching easier don’t forget to modify the permissions afterwards or other people won’t be able to use them and benefit from your awesome work.
On the Splunk search head go to:
- Settings
- Fields
- Field Extractions
- On the very right hand side click on Permissions
- In the field Object should appear in select All apps
- In the field Permissions select Everyone under Read
Sources
- https://answers.splunk.com/answers/71353/search-returned-no-results.html