- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Limits on sourcetypes listed in the dropdown
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Limits on sourcetypes listed in the dropdown
I'm trying to use the Field Extractor, with scoping set to sourcetype. This being a dropdown, I can't type the sourcetype into the box. However the sourcetypes found in this drop-down list isn't complete.
Is there some setting that can be modified to allow this dropdown list to contain more entries, or can it be modified to allow me to type the sourcetype name in?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, I guess you invoked the IFX by clicking on the little "down" arrow next to an event in normal search view. This means that you enter the IFX with the values for host, source and sourcetype automatically set to the values of that event (and also the you get a listing of similar events in the large box on the lower right side of the page. You make your field extraction and save it, thereby applying it to either that source or sourcetype (or even host). This is what you want.
Why? Because you type in (or generate) a regexp in IFX in order to extract fields, based on events of a certain source or sourcetype. (i.e. events of the type found in the list). There would be little or no value in generating "rules" for a field extraction based on data of one type, and then applying those "rules" on a completely different type of data.
Unfortunately there is (currently) no way (from inside the IFX) to load a set of events from an arbitrary source/sourcetype, and then start extracting fields. It just isn't built that way.
If you do know your regexes, find the IFX confusing, and want to "do it all manually", then you should edit the props.conf directly.
Hope this helps,
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yea, need to remember when I post based on an app that it's not really apparrent other than by the small tag link.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aah, well that's different then. Obviously I didn't interpret "Field Extractor" correctly 🙂
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is in regards to the Field Extractor App, posting from the Ask Developer link on the application's page.
I'm familiar with the normal process, but was trying to accomplish the same with this app. http://splunk-base.splunk.com/apps/22291/field-extractor
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
