- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why am I getting error "The events associated ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to extract a field in Hunk, and I get the following error:
The events associated with this job have no sourcetype information
When I check one of the props.conf files, I see the source and sourcetype listed as such:
[source::/LogCentral/WindowsEvent/*/WindowsEventLogdata.*]
sourcetype = windows_snare_syslog
However, running a search, the sourcetype field is not showing up.
Would appreciate any help...
Thx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[source::/LogCentral/WindowsEvent//WindowsEventLogdata.]
You have a "." at the end of WindowsEventLogdata...is this a typo?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same problem even with correct filename :
[monitor:///USR/xxx/app_data/yyy/logs/zzz.log]
disabled = false
index = app_xxx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[source::/LogCentral/WindowsEvent//WindowsEventLogdata.]
You have a "." at the end of WindowsEventLogdata...is this a typo?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That was the issue. Once I removed the '.', the sourcetype field popped up as a field.
Appreciate the eagle eye!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just a quick idea, your source path /LogCentral/WindowsEvent//WindowsEventLogdata. looks pretty uncommon. Are you sure it isn't something like /var/log/LogCentral/WindowsEvent//WindowsEventLogdata
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't believe so as we're connecting via a virtual index to HDFS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
as @suarezry mentioned: Event the . ? Are you sure? I'd double triple check that 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LOL - I did that exactly, but once I removed the '.', I was able to extract fields so I am 99.8% sure i'm good to go... But, you never know!
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
