Splunk Search
Highlighted

Why are there field extraction issues on events with no sourcetype information?

Contributor

Hi there,

I know there is an answer related to my question but I don't understand it.

I already have this sourcetype in my forwarder inputs file and this is the original post.

https://answers.splunk.com/answers/578392/field-extraction-issue-on-events-with-no-sourcetyp.html

Splunk Version
6.2.3
Splunk Build
264376

I have extracted some fields and here is my search:

index=pas host=pa5pv sourcetype=ProxyService | transaction startswith="Saving changes to Deal*" endswith="error" maxevents=25| rex "Saving changes to Deal: (?.*)" | rex "ERROR FundAccounting.* - (?.*)"|rename host AS Host _time AS Time|convert timeformat="%Y/%m/%d-%H:%M:%S" ctime(Time)| search Exception_Message>0|table Host,Company,Exception_Message,Time

I get the exact results that I want but my left hand navigation side is empty and only visible item is "Extract new fields" and when I click on it I get an error message.

The events associated with this job have no sourcetype information: 1522944752.672061

I am lost, is there something wrong with my query?

Any help is appreciated.

0 Karma
Highlighted

Re: Why are there field extraction issues on events with no sourcetype information?

Champion

When you search | metadata is your sourcetype is listed?

0 Karma
Highlighted

Re: Why are there field extraction issues on events with no sourcetype information?

Builder

To extract new fields with rex command I used it like that:

index=mail 
| rex field=message_subject "Encoded Message subject:(?<encoded_message_subject>[^\?]*)"

select the field you want to extract data from (in this example it is messagesubject ) then assign a new field name to the extracted value in this example (encodedmessage_subject).

If you want to extract the new field from the whole event:

 | rex field=_raw "Encoded Message subject:(?<encoded_message_subject>[^\?]*)"
0 Karma
Highlighted

Re: Why are there field extraction issues on events with no sourcetype information?

Contributor

Aakwah,that is the way i am extracting.sometimes i use the field value sometimes i do not.defualt is probably to use it but in my case adding the field did not resolve my issue,so i decided to take functions out one by one and run my search to find the problem and seems that if i use the |rename function then i am not able to extract new fields and the left hand side navigation area is empty.

that is an odd behavior but seems to resolve my issue

0 Karma
Highlighted

Re: Why are there field extraction issues on events with no sourcetype information?

Contributor

in case if anyone experiences the same or similar issue,adding field to my rex function did not resolve my issue.i rerun my search by taking functions out of my search to see which one is causing this issue and |rename function seems to be the culprit,by taking out that part i am able to get my navigation fields back on the left hand side.

Not sure why that is breaking it and nobody seems to have an answer to it. As long as it is working and back to normal,i'll take it

View solution in original post

0 Karma