Why do I get the following error message when I try to extract new fields?
The events associated with this job have no sourcetype information: 1524125445.48
hello there,
please see this answer: https://answers.splunk.com/answers/578392/field-extraction-issue-on-events-with-no-sourcetyp.html in general, you have to assign sourcetype at input time in order to apply search time extraction (and other functions) on your data
hope it helps
View solution in original post
