Splunk Search

Why are there field extraction issues on events with no sourcetype information?

carlyleadmin
Contributor

Hi there,

I know there is an answer related to my question but I don't understand it.

I already have this sourcetype in my forwarder inputs file and this is the original post.

https://answers.splunk.com/answers/578392/field-extraction-issue-on-events-with-no-sourcetyp.html

Splunk Version
6.2.3
Splunk Build
264376

I have extracted some fields and here is my search:

index=pas host=pa5pv sourcetype=ProxyService | transaction startswith="Saving changes to Deal*" endswith="error" maxevents=25| rex "Saving changes to Deal: (?.*)" | rex "ERROR FundAccounting.* - (?.*)"|rename host AS Host _time AS Time|convert timeformat="%Y/%m/%d-%H:%M:%S" ctime(Time)| search Exception_Message>0|table Host,Company,Exception_Message,Time

I get the exact results that I want but my left hand navigation side is empty and only visible item is "Extract new fields" and when I click on it I get an error message.

The events associated with this job have no sourcetype information: 1522944752.672061

I am lost, is there something wrong with my query?

Any help is appreciated.

0 Karma
1 Solution

carlyleadmin
Contributor

in case if anyone experiences the same or similar issue,adding field to my rex function did not resolve my issue.i rerun my search by taking functions out of my search to see which one is causing this issue and |rename function seems to be the culprit,by taking out that part i am able to get my navigation fields back on the left hand side.

Not sure why that is breaking it and nobody seems to have an answer to it. As long as it is working and back to normal,i'll take it

View solution in original post

0 Karma

carlyleadmin
Contributor

in case if anyone experiences the same or similar issue,adding field to my rex function did not resolve my issue.i rerun my search by taking functions out of my search to see which one is causing this issue and |rename function seems to be the culprit,by taking out that part i am able to get my navigation fields back on the left hand side.

Not sure why that is breaking it and nobody seems to have an answer to it. As long as it is working and back to normal,i'll take it

0 Karma

aakwah
Builder

To extract new fields with rex command I used it like that:

index=mail 
| rex field=message_subject "Encoded Message subject:(?<encoded_message_subject>[^\?]*)"

select the field you want to extract data from (in this example it is message_subject ) then assign a new field name to the extracted value in this example (encoded_message_subject).

If you want to extract the new field from the whole event:

 | rex field=_raw "Encoded Message subject:(?<encoded_message_subject>[^\?]*)"
0 Karma

carlyleadmin
Contributor

Aakwah,that is the way i am extracting.sometimes i use the field value sometimes i do not.defualt is probably to use it but in my case adding the field did not resolve my issue,so i decided to take functions out one by one and run my search to find the problem and seems that if i use the |rename function then i am not able to extract new fields and the left hand side navigation area is empty.

that is an odd behavior but seems to resolve my issue

0 Karma

p_gurav
Champion

When you search | metadata is your sourcetype is listed?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...