Solved: Field extration based on Event Type

resparis · ‎07-31-2013

Hi I have created a custom Event type and I would like to perform some field extraction based on the new event type, but I can't do it. I can only extract based on the Host, Source and sourcetype

martin_mueller · ‎07-31-2013

Yes, host source sourcetype only.

See http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Propsconf - specifically, the section explaining .

View solution in original post

ykys97 · ‎08-03-2014

Eventtype produced under the conditions of a particular field >>

AS-IS

index=AAA (keyworld1 OR kewyorld2) AND (keyworld3)

To-BE

index=AAA (Specific_Field="keyworld1" OR Specific_Field="kewyorld2") AND (Specific_Field="keyworld3")

martin_mueller · ‎07-31-2013

Yes, host source sourcetype only.

See http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Propsconf - specifically, the section explaining .

mathewboarman · ‎06-27-2022

Nine years on...

is it possible yet to define field extractions for particular eventtypes ?

Defining them on a sourcetype basis is too generic... one extraction does not fit all events for a given source type.

Example. - Linux file /var/log/secure contains Username in different places for successful login and for failed login... so two extractions are required for the same field "Username" Is this a reliable way to do it... ? Will the extractions conflict or will the results just be merged?

Field extration based on Event Type

other

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!