Splunk Search

Why am I getting error "The events associated with this job have no sourcetype information" trying to extract a field in Hunk?

Motivator

I am trying to extract a field in Hunk, and I get the following error:

The events associated with this job have no sourcetype information

When I check one of the props.conf files, I see the source and sourcetype listed as such:

[source::/LogCentral/WindowsEvent/*/WindowsEventLogdata.*]
sourcetype = windows_snare_syslog

However, running a search, the sourcetype field is not showing up.

Would appreciate any help...

Thx

0 Karma
1 Solution

Builder

[source::/LogCentral/WindowsEvent//WindowsEventLogdata.]

You have a "." at the end of WindowsEventLogdata...is this a typo?

View solution in original post

Builder

Same problem even with correct filename :

[monitor:///USR/xxx/appdata/yyy/logs/zzz.log]
disabled = false
index = app
xxx

0 Karma

Builder

[source::/LogCentral/WindowsEvent//WindowsEventLogdata.]

You have a "." at the end of WindowsEventLogdata...is this a typo?

View solution in original post

Motivator

That was the issue. Once I removed the '.', the sourcetype field popped up as a field.

Appreciate the eagle eye!

0 Karma

Path Finder

Just a quick idea, your source path /LogCentral/WindowsEvent//WindowsEventLogdata. looks pretty uncommon. Are you sure it isn't something like /var/log/LogCentral/WindowsEvent//WindowsEventLogdata

0 Karma

Motivator

I don't believe so as we're connecting via a virtual index to HDFS

0 Karma

Path Finder

as @suarezry mentioned: Event the . ? Are you sure? I'd double triple check that 😉

0 Karma

Motivator

LOL - I did that exactly, but once I removed the '.', I was able to extract fields so I am 99.8% sure i'm good to go... But, you never know!

0 Karma