https://community.splunk.com/t5/Splunk-Search/Extracting-fields-based-on-eventtype/m-p/45589#M10832 <P>It is currently possible to setup field extractions based on an <CODE>eventtype</CODE> definition, but it sounds like this may not always be supported. I've been using this feature since Splunk 3.3 or 3.4 (when we first started using splunk). But based on some discussions with the engineers, it sounds like this feature may go away or be depreciated and it sounds like it's currently already a highly-discouraged feature.</P> <P>I recently notice the following message in my <CODE>info.csv</CODE> in the job dispatch folder. (Seem's like it's a "DEBUG" message which is probably why I haven't seen it from the search UI)</P> <P><STRONG>Message:</STRONG></P> <BLOCKQUOTE> <BLOCKQUOTE> <P>Extracting fields based on eventtype is not supported during the main search. Please see splunk documentation for more information.</P> </BLOCKQUOTE> </BLOCKQUOTE> <P>However I'm unable to find the related documentation. Anyone know the official answer to whether or not this feature is truly going away, and how soon? Would the message be more accurately stated: "searching for extracted fields based on eventtype is not supported during the main search"? Or is there some other meaning here?</P> <P></P><HR /><P></P> <P>I get that technically field extractions based on eventtypes is a complex and potentially confusing feature. I have many different types of events with unique field extractions for a single source/sourcetype; so I'm not sure what the recommendation is on how to replace my existing eventtype-based field extractions....</P> Wed, 08 Sep 2010 04:20:39 GMT Lowell 2010-09-08T04:20:39Z https://community.splunk.com/t5/Splunk-Search/Extracting-fields-based-on-eventtype/m-p/45589#M10832 <P>It is currently possible to setup field extractions based on an <CODE>eventtype</CODE> definition, but it sounds like this may not always be supported. I've been using this feature since Splunk 3.3 or 3.4 (when we first started using splunk). But based on some discussions with the engineers, it sounds like this feature may go away or be depreciated and it sounds like it's currently already a highly-discouraged feature.</P> <P>I recently notice the following message in my <CODE>info.csv</CODE> in the job dispatch folder. (Seem's like it's a "DEBUG" message which is probably why I haven't seen it from the search UI)</P> <P><STRONG>Message:</STRONG></P> <BLOCKQUOTE> <BLOCKQUOTE> <P>Extracting fields based on eventtype is not supported during the main search. Please see splunk documentation for more information.</P> </BLOCKQUOTE> </BLOCKQUOTE> <P>However I'm unable to find the related documentation. Anyone know the official answer to whether or not this feature is truly going away, and how soon? Would the message be more accurately stated: "searching for extracted fields based on eventtype is not supported during the main search"? Or is there some other meaning here?</P> <P></P><HR /><P></P> <P>I get that technically field extractions based on eventtypes is a complex and potentially confusing feature. I have many different types of events with unique field extractions for a single source/sourcetype; so I'm not sure what the recommendation is on how to replace my existing eventtype-based field extractions....</P> Wed, 08 Sep 2010 04:20:39 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-fields-based-on-eventtype/m-p/45589#M10832 Lowell 2010-09-08T04:20:39Z https://community.splunk.com/t5/Splunk-Search/Extracting-fields-based-on-eventtype/m-p/45590#M10833 <P>We intend to leave the feature in in its "half-working" mode until we fix it or provide a better technique for extracting fields based on a dynamic condition. You are correct in saying that the message is more accurately stated as that you can't search for eventtype-extracted fields.</P> Wed, 08 Sep 2010 10:40:35 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-fields-based-on-eventtype/m-p/45590#M10833 Stephen_Sorkin 2010-09-08T10:40:35Z https://community.splunk.com/t5/Splunk-Search/Extracting-fields-based-on-eventtype/m-p/45591#M10834 <P>This is really neeeded, on shared plateform, the sourcetype is the same for everybody, and there are a lot of sources and host... so how to affect the extraction, if it is not possible to affect it to a source=<EM>key</EM> or an eventtype...</P> Tue, 30 Apr 2013 15:19:12 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-fields-based-on-eventtype/m-p/45591#M10834 sbsbb 2013-04-30T15:19:12Z https://community.splunk.com/t5/Splunk-Search/Extracting-fields-based-on-eventtype/m-p/45592#M10835 <P>Hi Lowell,</P> <P>Does this problem has been fixed in the latest version ?</P> <P>I am interested in implementing a similar solution even-type based regex. Can you pls advise how you have implemented this ?</P> <P>Thanks</P> <P>Kind Regards</P> <P>KK</P> Mon, 26 Aug 2013 00:29:48 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-fields-based-on-eventtype/m-p/45592#M10835 KarunK 2013-08-26T00:29:48Z https://community.splunk.com/t5/Splunk-Search/Extracting-fields-based-on-eventtype/m-p/45593#M10836 <P>Stephen, are there any better techniques introduced in the recent versions? I have a similar problem where I have to define the eventtype before field extraction.<BR /> Thanks</P> Mon, 29 Dec 2014 22:44:47 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-fields-based-on-eventtype/m-p/45593#M10836 ananthkumar12 2014-12-29T22:44:47Z https://community.splunk.com/t5/Splunk-Search/Extracting-fields-based-on-eventtype/m-p/45594#M10837 <P>10 years later..... <EM>crickets</EM></P> Thu, 17 Jan 2019 16:20:10 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-fields-based-on-eventtype/m-p/45594#M10837 Eric_Mcknight 2019-01-17T16:20:10Z