Using Splunk 6.6.2, I've created a search to look for supervisord events on two different hosts. These events are not currently assigned a source type in inputs.conf on the forwarders:
index=os host=rooster OR host="rooster-2" sourcetype=supervisord*
The events do have sourcetypes when viewed in search, which I assume Splunk assigned at index time. However, when I try to "Extract More Fields" I get:
The events associated with this job have no sourcetype information: 1506449927.283954
Do I have to assign the source type on the forwarder for the extraction to work?
... View more