Solved: Field extraction showing up for different sourcety...

xxkenta · ‎01-09-2018

Hello. I used the Splunk field extractor to get a field from sourcetype=sourcetype_a
For some reason, when I search sourcetype=sourcetype_b, the field I extracted for sourcetype_a is showing up. The data in that field is nothing relevant as the logs are entirely different. Why is this happening, and how can I prevent it?

micahkemp · ‎01-09-2018

Is it maybe a simple key=value in the event? Those are extracted by default unless you disable it per sourcetype.

View solution in original post

micahkemp · ‎01-09-2018

Is it maybe a simple key=value in the event? Those are extracted by default unless you disable it per sourcetype.

xxkenta · ‎01-09-2018

Checking back now, you would be correct.. it's interesting though because in the event it is actually key\=value which I didn't know Splunk would pick that out. Thank you!

micahkemp · ‎01-09-2018

Converted to an answer.

If you consider it the correct answer, please accept it so that the question no longer looks open.

Field extraction showing up for different sourcetype

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk