Getting Data In

Field extraction issue on events with no sourcetype information

Engager

Using Splunk 6.6.2, I've created a search to look for supervisord events on two different hosts. These events are not currently assigned a source type in inputs.conf on the forwarders:

index=os host=rooster OR host="rooster-2" sourcetype=supervisord*

The events do have sourcetypes when viewed in search, which I assume Splunk assigned at index time. However, when I try to "Extract More Fields" I get:

The events associated with this job have no sourcetype information: 1506449927.283954

Do I have to assign the source type on the forwarder for the extraction to work?

0 Karma

SplunkTrust
SplunkTrust

Hi @wadesworld,

Yes, as best practice assign sourcetype in inputs.conf on splunk forwarder and use that sourcetype in field extraction because when you not specity sourcetype splunk will assign random sourcetype For example: supervisord-1, supervisord-2 .. etc. so your sourcetype will not be constant and due to that your field extraction might not work properly.

Thanks,
Harshil

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!