Field extraction issue on events with no sourcetyp...

wadesworld · ‎09-26-2017

Using Splunk 6.6.2, I've created a search to look for supervisord events on two different hosts. These events are not currently assigned a source type in inputs.conf on the forwarders:

index=os host=rooster OR host="rooster-2" sourcetype=supervisord*

The events do have sourcetypes when viewed in search, which I assume Splunk assigned at index time. However, when I try to "Extract More Fields" I get:

The events associated with this job have no sourcetype information: 1506449927.283954

Do I have to assign the source type on the forwarder for the extraction to work?

harsmarvania57 · ‎09-26-2017

Hi @wadesworld,

Yes, as best practice assign sourcetype in inputs.conf on splunk forwarder and use that sourcetype in field extraction because when you not specity sourcetype splunk will assign random sourcetype For example: supervisord-1, supervisord-2 .. etc. so your sourcetype will not be constant and due to that your field extraction might not work properly.

Thanks,
Harshil

indresh · ‎01-27-2021

index=throwaway (sourcetype=test OR sourcetype=test1) alerts* thread_name

search results 50,000 events.

extract new fields results in error -

The events associated with this job have no sourcetype information: 1611764913.10321_B0F3A731-12F2-42DC-885F-594F1B2A7FE6

Field extraction issue on events with no sourcetype information

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!