Yes, host source sourcetype only.
See http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Propsconf - specifically, the section explaining
Eventtype produced under the conditions of a particular field >>
AS-IS
index=AAA (keyworld1 OR kewyorld2) AND (keyworld3)
To-BE
index=AAA (Specific_Field="keyworld1" OR Specific_Field="kewyorld2") AND (Specific_Field="keyworld3")
Yes, host source sourcetype only.
See http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Propsconf - specifically, the section explaining
Nine years on...
is it possible yet to define field extractions for particular eventtypes ?
Defining them on a sourcetype basis is too generic... one extraction does not fit all events for a given source type.
Example. - Linux file /var/log/secure contains Username in different places for successful login and for failed login... so two extractions are required for the same field "Username" Is this a reliable way to do it... ? Will the extractions conflict or will the results just be merged?