Solved: Re: Why am I getting error "The events associated ...

jwalzerpitt · ‎11-18-2015

I am trying to extract a field in Hunk, and I get the following error:

The events associated with this job have no sourcetype information

When I check one of the props.conf files, I see the source and sourcetype listed as such:

[source::/LogCentral/WindowsEvent/*/WindowsEventLogdata.*]
sourcetype = windows_snare_syslog

However, running a search, the sourcetype field is not showing up.

Would appreciate any help...

Thx

suarezry · ‎11-18-2015

[source::/LogCentral/WindowsEvent//WindowsEventLogdata.]

You have a "." at the end of WindowsEventLogdata...is this a typo?

View solution in original post

splunkreal · ‎07-06-2016

Same problem even with correct filename :

[monitor:///USR/xxx/app_data/yyy/logs/zzz.log]
disabled = false
index = app_xxx

suarezry · ‎11-18-2015

[source::/LogCentral/WindowsEvent//WindowsEventLogdata.]

You have a "." at the end of WindowsEventLogdata...is this a typo?

jwalzerpitt · ‎11-18-2015

That was the issue. Once I removed the '.', the sourcetype field popped up as a field.

Appreciate the eagle eye!

Sebastian2 · ‎11-18-2015

Just a quick idea, your source path /LogCentral/WindowsEvent//WindowsEventLogdata. looks pretty uncommon. Are you sure it isn't something like /var/log/LogCentral/WindowsEvent//WindowsEventLogdata

jwalzerpitt · ‎11-18-2015

I don't believe so as we're connecting via a virtual index to HDFS

Sebastian2 · ‎11-18-2015

as @suarezry mentioned: Event the . ? Are you sure? I'd double triple check that 😉

jwalzerpitt · ‎11-18-2015

LOL - I did that exactly, but once I removed the '.', I was able to extract fields so I am 99.8% sure i'm good to go... But, you never know!

Why am I getting error "The events associated with this job have no sourcetype information" trying to extract a field in Hunk?

Splunk APM & RUM | Upcoming Planned Maintenance

Part 2: Diving Deeper With AIOps

User Groups | Upcoming Events!