Hi,
I have a regex to extract a field. I need unique count of those.
During exploring I found that the extracted field is limited to that sourcetype.
My query spans across 10-12 sourcetypes. Should I just keep adding the field to all sourcetypes?
PS: I'm just a Splunk user. I don't know where .conf files are, I don't have access.
If you don't have access to the .conf files, then yes - the only way to do this is to add the field to all the sourcetypes.
To speed things up, you can go to Manager » Fields » Field extractions and do this: open the field extraction that you need to copy. Using the copy/paste function of your browser, copy the Extraction/Transform from the first field, then create New field extractions and paste in the Extraction/Transform string.
This should be faster than running the Interactive Field Extractor multiple times. However, it won't work unless the field really is the same across all sourcetypes...
Hello
I even had a similar situation; and it seems to achieve it, below is something that works for me.
Assume if I have 2 sourcetypes namely st1, st2 from which I want to fetch the exact same field, I need to do the below
props.conf
[(?::){0}st*]
REPORT-st_combined = st_combined
transforms.conf
[st_combined]
REGEX = MyRegex
If you don't have access to the .conf files, then yes - the only way to do this is to add the field to all the sourcetypes.
To speed things up, you can go to Manager » Fields » Field extractions and do this: open the field extraction that you need to copy. Using the copy/paste function of your browser, copy the Extraction/Transform from the first field, then create New field extractions and paste in the Extraction/Transform string.
This should be faster than running the Interactive Field Extractor multiple times. However, it won't work unless the field really is the same across all sourcetypes...