Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Change In Sourcetype Format

BookerT14
Engager
‎08-18-2020 05:58 AM

Before a change was made, data was originally being sent to Splunk in the example of { %a | %b | %c | %d }. Now after a change, more data is being sent but was placed in the middle of the original order {%a | %b | %e | %f | %c | %d}. Causing a conflict in mapping the fields from before the change and after, affecting dashboard graphs etc. Any way to synchronize the two without having to reformat the order of data?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-18-2020 10:46 AM
If the fields truly are order-dependent like they appear, then someone did you a disservice by re-ordering them. Get them to put the new fields on the end.
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-18-2020 11:27 AM

How about your field extraction?

is that done at index time or search time?

if it’s happening at search time, you could change your extractions.

I see %a is %a before and after so the existing fields are not changed, only new fields are added. In my opinion it will work if can change field extraction.

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

BookerT14
Engager
‎08-19-2020 09:16 AM

It is done at search time unfortunately, meaning index is key here. While the order stayed the same for some fields, some fields order was changed causing conflict in extraction.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-18-2020 10:46 AM
If the fields truly are order-dependent like they appear, then someone did you a disservice by re-ordering them. Get them to put the new fields on the end.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

BookerT14
Engager
‎08-19-2020 09:17 AM

Thank you, this is the direction I moved forward with.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...