Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sourcetype with incorrect /unknown field

mailtosnsolutio
Explorer
‎02-14-2020 07:12 AM

Hello Team,

I am new in Splunking ,

I need to understand few thing ,could anyone please answer the questions :

1.) How to make list of sourcetype and eventtype that need to be fixed to allow for proper data model
2.) How to identify incorrect Aliased /extracted fields ?
3.)How to Determine the sourcetype associated with incorrect /unknown fields
4.) how to identified incorrect /unknown fields from datamodel

what are the steps to fix, Sorry these are common question but being new I need to create report for it !!

Thank in Advance !!!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-14-2020 10:21 AM

The CIM Validator app (https://splunkbase.splunk.com/app/2968/) should help you identify what you need to correct.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mailtosnsolutio
Explorer
‎02-14-2020 11:07 AM

Is there anyways we can do fields extraction ???

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-15-2020 05:17 AM

There are several ways to do field extraction. Use REGEX and FORMAT in transforms.conf; use EXTRACT or REPORT in props.conf; use rex or extract in search.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...