Getting Data In
Highlighted

Field extraction issue on events with no sourcetype information

Engager

Using Splunk 6.6.2, I've created a search to look for supervisord events on two different hosts. These events are not currently assigned a source type in inputs.conf on the forwarders:

index=os host=rooster OR host="rooster-2" sourcetype=supervisord*

The events do have sourcetypes when viewed in search, which I assume Splunk assigned at index time. However, when I try to "Extract More Fields" I get:

The events associated with this job have no sourcetype information: 1506449927.283954

Do I have to assign the source type on the forwarder for the extraction to work?

0 Karma
Highlighted

Re: Field extraction issue on events with no sourcetype information

SplunkTrust
SplunkTrust

Hi @wadesworld,

Yes, as best practice assign sourcetype in inputs.conf on splunk forwarder and use that sourcetype in field extraction because when you not specity sourcetype splunk will assign random sourcetype For example: supervisord-1, supervisord-2 .. etc. so your sourcetype will not be constant and due to that your field extraction might not work properly.

Thanks,
Harshil

0 Karma