https://community.splunk.com/t5/Splunk-Search/How-to-resolve-Splunk-from-missing-some-automatically-recognized/m-p/298809#M90070 <P>I have transforms like access-extractions and access-request, which map to the automatically recognized source types like access_combined, access_combined_wcookie, and access_common in the Field Extractions. Fields from events with these sourcetypes have fields extracted at search time as they should. However, the automatically recognized source types list also mentions: websphere_trlog_syserr and websphere_trlog_sysout. I have a websphere_trlog but not the other two. These should be built-in and not require any other specific app, right? Why would I be missing these two?</P> <P>Ref: <A href="http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Listofpretrainedsourcetypes" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Listofpretrainedsourcetypes</A></P> <P>Splunk version 6.4.3</P> Tue, 29 Sep 2020 14:46:46 GMT quantumburnz 2020-09-29T14:46:46Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-Splunk-from-missing-some-automatically-recognized/m-p/298809#M90070 <P>I have transforms like access-extractions and access-request, which map to the automatically recognized source types like access_combined, access_combined_wcookie, and access_common in the Field Extractions. Fields from events with these sourcetypes have fields extracted at search time as they should. However, the automatically recognized source types list also mentions: websphere_trlog_syserr and websphere_trlog_sysout. I have a websphere_trlog but not the other two. These should be built-in and not require any other specific app, right? Why would I be missing these two?</P> <P>Ref: <A href="http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Listofpretrainedsourcetypes" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Listofpretrainedsourcetypes</A></P> <P>Splunk version 6.4.3</P> Tue, 29 Sep 2020 14:46:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-Splunk-from-missing-some-automatically-recognized/m-p/298809#M90070 quantumburnz 2020-09-29T14:46:46Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-Splunk-from-missing-some-automatically-recognized/m-p/298810#M90071 <P>You should never, Never, NEVER rely on Splunk's automatic sourcetyping feature (IMHO this should be deprecated and removed). You, as the admin, should ALWAYS manually sourcetype everything that you forward into splunk and you should consult and conform to this document:</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.6.2/Data/Listofpretrainedsourcetypes">http://docs.splunk.com/Documentation/Splunk/6.6.2/Data/Listofpretrainedsourcetypes</A><BR /> YOU should be the one to do this mapping with a <CODE>sourcetype=&lt;foo&gt;</CODE> inside of EVERY stanza in EVERY <CODE>inputs.conf</CODE>.</P> Fri, 07 Jul 2017 21:40:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-Splunk-from-missing-some-automatically-recognized/m-p/298810#M90071 woodcock 2017-07-07T21:40:20Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-Splunk-from-missing-some-automatically-recognized/m-p/298811#M90072 <P>Thanks woodcock - that's some pretty strong wording. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>The sourcetypes don't currently conform to the document so they'll need to be renamed. Regardless, once this is done, I still want Splunk to properly extract fields at search time but there's no definition for these sourcetypes in props.conf.</P> <P>What would cause this? The extractions should be available by default, correct? Hence "pretrained sourcetypes."</P> Fri, 07 Jul 2017 23:33:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-Splunk-from-missing-some-automatically-recognized/m-p/298811#M90072 quantumburnz 2017-07-07T23:33:56Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-Splunk-from-missing-some-automatically-recognized/m-p/298812#M90073 <P>This product is not a magic 8-ball or genie in a bottle; it can't know everything. Check splunkbase for an app related to your source/sourcetype; if you are using enterprise software, it is probably there. If not, you will have to build your own field extractions or force the product to output it's stuff in something Splunk automatically groks like <CODE>JSON</CODE>, <CODE>CEP</CODE>, <CODE>CSV</CODE>, or <CODE>KVPs</CODE>.</P> Sat, 08 Jul 2017 14:29:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-Splunk-from-missing-some-automatically-recognized/m-p/298812#M90073 woodcock 2017-07-08T14:29:47Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-Splunk-from-missing-some-automatically-recognized/m-p/298813#M90074 <P>Agree - there's no such thing as a "silver bullet." However, I guess my question comes down to: Is there a built-in extraction for all of the pretrained sourcetypes? I assumed there was; otherwise, what's the point of the "pretrained?"</P> Sat, 08 Jul 2017 15:21:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-Splunk-from-missing-some-automatically-recognized/m-p/298813#M90074 quantumburnz 2017-07-08T15:21:27Z https://community.splunk.com/t5/Splunk-Search/How-to-resolve-Splunk-from-missing-some-automatically-recognized/m-p/298814#M90075 <P>I suppose that is a good point. Start with the <CODE>CIM</CODE> app:<BR /> <A href="https://splunkbase.splunk.com/app/1621/">https://splunkbase.splunk.com/app/1621/</A><BR /> It changes frequently. Build out from there.</P> Sat, 08 Jul 2017 15:29:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-resolve-Splunk-from-missing-some-automatically-recognized/m-p/298814#M90075 woodcock 2017-07-08T15:29:22Z