Sourcetype with incorrect /unknown field

mailtosnsolutio · ‎02-14-2020

Hello Team,

I am new in Splunking ,

I need to understand few thing ,could anyone please answer the questions :

1.) How to make list of sourcetype and eventtype that need to be fixed to allow for proper data model
2.) How to identify incorrect Aliased /extracted fields ?
3.)How to Determine the sourcetype associated with incorrect /unknown fields
4.) how to identified incorrect /unknown fields from datamodel

what are the steps to fix, Sorry these are common question but being new I need to create report for it !!

Thank in Advance !!!

richgalloway · ‎02-14-2020

The CIM Validator app (https://splunkbase.splunk.com/app/2968/) should help you identify what you need to correct.

---
If this reply helps you, Karma would be appreciated.

mailtosnsolutio · ‎02-14-2020

Is there anyways we can do fields extraction ???

richgalloway · ‎02-15-2020

There are several ways to do field extraction. Use REGEX and FORMAT in transforms.conf; use EXTRACT or REPORT in props.conf; use rex or extract in search.

---
If this reply helps you, Karma would be appreciated.

Sourcetype with incorrect /unknown field

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...