Using Splunk 6.6.2, I've created a search to look for supervisord events on two different hosts. These events are not currently assigned a source type in inputs.conf on the forwarders:
index=os host=rooster OR host="rooster-2" sourcetype=supervisord*
The events do have sourcetypes when viewed in search, which I assume Splunk assigned at index time. However, when I try to "Extract More Fields" I get:
The events associated with this job have no sourcetype information: 1506449927.283954
Do I have to assign the source type on the forwarder for the extraction to work?
Hi @wadesworld,
Yes, as best practice assign sourcetype in inputs.conf on splunk forwarder and use that sourcetype in field extraction because when you not specity sourcetype splunk will assign random sourcetype For example: supervisord-1, supervisord-2 .. etc. so your sourcetype will not be constant and due to that your field extraction might not work properly.
Thanks,
Harshil
index=throwaway (sourcetype=test OR sourcetype=test1) alerts* thread_name
search results 50,000 events.
extract new fields results in error -
The events associated with this job have no sourcetype information: 1611764913.10321_B0F3A731-12F2-42DC-885F-594F1B2A7FE6