topic Re: Field extraction showing up for different sourcetype in Splunk Search

Field extraction showing up for different sourcetype

xxkenta — Tue, 09 Jan 2018 17:05:11 GMT

Hello. I used the Splunk field extractor to get a field from sourcetype=sourcetype_a
For some reason, when I search sourcetype=sourcetype_b, the field I extracted for sourcetype_a is showing up. The data in that field is nothing relevant as the logs are entirely different. Why is this happening, and how can I prevent it?

Re: Field extraction showing up for different sourcetype

micahkemp — Tue, 09 Jan 2018 17:13:22 GMT

Is it maybe a simple key=value in the event? Those are extracted by default unless you disable it per sourcetype.

Re: Field extraction showing up for different sourcetype

xxkenta — Tue, 09 Jan 2018 17:17:38 GMT

Checking back now, you would be correct.. it's interesting though because in the event it is actually key\=value which I didn't know Splunk would pick that out. Thank you!

Re: Field extraction showing up for different sourcetype

micahkemp — Tue, 09 Jan 2018 17:22:13 GMT

Converted to an answer.

If you consider it the correct answer, please accept it so that the question no longer looks open.