Refine your search:

Extracting fields based on eventtype?

0
1

It is currently possible to setup field extractions based on an eventtype definition, but it sounds like this may not always be supported. I've been using this feature since Splunk 3.3 or 3.4 (when we first started using splunk). But based on some discussions with the engineers, it sounds like this feature may go away or be depreciated and it sounds like it's currently already a highly-discouraged feature.

I recently notice the following message in my info.csv in the job dispatch folder. (Seem's like it's a "DEBUG" message which is probably why I haven't seen it from the search UI)

Message:

Extracting fields based on eventtype is not supported during the main search. Please see splunk documentation for more information.

However I'm unable to find the related documentation. Anyone know the official answer to whether or not this feature is truly going away, and how soon? Would the message be more accurately stated: "searching for extracted fields based on eventtype is not supported during the main search"? Or is there some other meaning here?

I get that technically field extractions based on eventtypes is a complex and potentially confusing feature. I have many different types of events with unique field extractions for a single source/sourcetype; so I'm not sure what the recommendation is on how to replace my existing eventtype-based field extractions....

asked 07 Sep '10, 21:20

Lowell's gravatar image

Lowell ♦
9.6k637
accept rate: 40%

edited 07 Sep '10, 23:04

One Answer:
oldestnewestmost voted
1

We intend to leave the feature in in its "half-working" mode until we fix it or provide a better technique for extracting fields based on a dynamic condition. You are correct in saying that the message is more accurately stated as that you can't search for eventtype-extracted fields.

link

answered 08 Sep '10, 03:40

Stephen%20Sorkin's gravatar image

Stephen Sorkin ♦
8.1k47
accept rate: 52%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×354
×38

Asked: 07 Sep '10, 21:20

Seen: 1,242 times

Last updated: 08 Sep '10, 03:40

Related questions

Automatic field extraction not extracting all the fields from a particular event

Having trouble setting up delims-based field extraction, fields are not showing up

How to stop automatic field extraction from creating separate fields for each case variant on the same field name

Save an 'eval'-based field extraction?

How to extract a field based on other defined fields?

Adding a field extraction causes other fields to disappear

adding a field based on other fields

Field extraction with duplicate values in fields

Copyright © 2005-2012 Splunk, Inc. All rights reserved.