Field extraction issue on events with no sourcetyp...

wadesworld · ‎09-26-2017

Using Splunk 6.6.2, I've created a search to look for supervisord events on two different hosts. These events are not currently assigned a source type in inputs.conf on the forwarders:

index=os host=rooster OR host="rooster-2" sourcetype=supervisord*

The events do have sourcetypes when viewed in search, which I assume Splunk assigned at index time. However, when I try to "Extract More Fields" I get:

The events associated with this job have no sourcetype information: 1506449927.283954

Do I have to assign the source type on the forwarder for the extraction to work?

harsmarvania57 · ‎09-26-2017

Hi @wadesworld,

Yes, as best practice assign sourcetype in inputs.conf on splunk forwarder and use that sourcetype in field extraction because when you not specity sourcetype splunk will assign random sourcetype For example: supervisord-1, supervisord-2 .. etc. so your sourcetype will not be constant and due to that your field extraction might not work properly.

Thanks,
Harshil

indresh · ‎01-27-2021

index=throwaway (sourcetype=test OR sourcetype=test1) alerts* thread_name

search results 50,000 events.

extract new fields results in error -

The events associated with this job have no sourcetype information: 1611764913.10321_B0F3A731-12F2-42DC-885F-594F1B2A7FE6

Field extraction issue on events with no sourcetype information

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?