All Apps and Add-ons

Limits on sourcetypes listed in the dropdown

mikelanghorst
Motivator

I'm trying to use the Field Extractor, with scoping set to sourcetype. This being a dropdown, I can't type the sourcetype into the box. However the sourcetypes found in this drop-down list isn't complete.

Is there some setting that can be modified to allow this dropdown list to contain more entries, or can it be modified to allow me to type the sourcetype name in?

kristian_kolb
Ultra Champion

Well, I guess you invoked the IFX by clicking on the little "down" arrow next to an event in normal search view. This means that you enter the IFX with the values for host, source and sourcetype automatically set to the values of that event (and also the you get a listing of similar events in the large box on the lower right side of the page. You make your field extraction and save it, thereby applying it to either that source or sourcetype (or even host). This is what you want.

Why? Because you type in (or generate) a regexp in IFX in order to extract fields, based on events of a certain source or sourcetype. (i.e. events of the type found in the list). There would be little or no value in generating "rules" for a field extraction based on data of one type, and then applying those "rules" on a completely different type of data.

Unfortunately there is (currently) no way (from inside the IFX) to load a set of events from an arbitrary source/sourcetype, and then start extracting fields. It just isn't built that way.

If you do know your regexes, find the IFX confusing, and want to "do it all manually", then you should edit the props.conf directly.

Hope this helps,

/Kristian

mikelanghorst
Motivator

Yea, need to remember when I post based on an app that it's not really apparrent other than by the small tag link.

0 Karma

kristian_kolb
Ultra Champion

Aah, well that's different then. Obviously I didn't interpret "Field Extractor" correctly 🙂

/k

0 Karma

mikelanghorst
Motivator

This is in regards to the Field Extractor App, posting from the Ask Developer link on the application's page.

I'm familiar with the normal process, but was trying to accomplish the same with this app. http://splunk-base.splunk.com/apps/22291/field-extractor

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...