Solved: Change In Sourcetype Format

BookerT14 · ‎08-18-2020

Before a change was made, data was originally being sent to Splunk in the example of { %a | %b | %c | %d }. Now after a change, more data is being sent but was placed in the middle of the original order {%a | %b | %e | %f | %c | %d}. Causing a conflict in mapping the fields from before the change and after, affecting dashboard graphs etc. Any way to synchronize the two without having to reformat the order of data?

richgalloway · ‎08-18-2020

If the fields truly are order-dependent like they appear, then someone did you a disservice by re-ordering them. Get them to put the new fields on the end.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

thambisetty · ‎08-18-2020

How about your field extraction?

is that done at index time or search time?

if it’s happening at search time, you could change your extractions.

I see %a is %a before and after so the existing fields are not changed, only new fields are added. In my opinion it will work if can change field extraction.

————————————
If this helps, give a like below.

BookerT14 · ‎08-19-2020

It is done at search time unfortunately, meaning index is key here. While the order stayed the same for some fields, some fields order was changed causing conflict in extraction.

richgalloway · ‎08-18-2020

If the fields truly are order-dependent like they appear, then someone did you a disservice by re-ordering them. Get them to put the new fields on the end.

---
If this reply helps you, Karma would be appreciated.

BookerT14 · ‎08-19-2020

Thank you, this is the direction I moved forward with.

Change In Sourcetype Format

field extraction

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...