Splunk Search

Why am I getting error "The events associated with this job have no sourcetype information" trying to extract a field in Hunk?

jwalzerpitt
Influencer

I am trying to extract a field in Hunk, and I get the following error:

The events associated with this job have no sourcetype information

When I check one of the props.conf files, I see the source and sourcetype listed as such:

[source::/LogCentral/WindowsEvent/*/WindowsEventLogdata.*]
sourcetype = windows_snare_syslog

However, running a search, the sourcetype field is not showing up.

Would appreciate any help...

Thx

0 Karma
1 Solution

suarezry
Builder

[source::/LogCentral/WindowsEvent//WindowsEventLogdata.]

You have a "." at the end of WindowsEventLogdata...is this a typo?

View solution in original post

realsplunk
Motivator

Same problem even with correct filename :

[monitor:///USR/xxx/app_data/yyy/logs/zzz.log]
disabled = false
index = app_xxx

0 Karma

suarezry
Builder

[source::/LogCentral/WindowsEvent//WindowsEventLogdata.]

You have a "." at the end of WindowsEventLogdata...is this a typo?

jwalzerpitt
Influencer

That was the issue. Once I removed the '.', the sourcetype field popped up as a field.

Appreciate the eagle eye!

0 Karma

Sebastian2
Path Finder

Just a quick idea, your source path /LogCentral/WindowsEvent//WindowsEventLogdata. looks pretty uncommon. Are you sure it isn't something like /var/log/LogCentral/WindowsEvent//WindowsEventLogdata

0 Karma

jwalzerpitt
Influencer

I don't believe so as we're connecting via a virtual index to HDFS

0 Karma

Sebastian2
Path Finder

as @suarezry mentioned: Event the . ? Are you sure? I'd double triple check that 😉

0 Karma

jwalzerpitt
Influencer

LOL - I did that exactly, but once I removed the '.', I was able to extract fields so I am 99.8% sure i'm good to go... But, you never know!

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...