topic Missing fields in the index in Splunk Search

Missing fields in the index

iamsplunker31 — Wed, 23 Oct 2019 17:25:16 GMT

Hi,

We have dynatrace data onboarded into Splunk though API. we came across this situation. When I ran the search with an index (index=abc)for last 4 hours/24 hours. There are only few fields are displaying in search results where if I ran the search for last 7 days all fields are displaying. I selected All fields in the results too. There is no field limitation in limits.conf
Can anyone please advise on this

Re: Missing fields in the index

gcusello — Thu, 24 Oct 2019 06:52:39 GMT

Hi iamsplunker31
at first a little question, did you executed your search using Verbose Mode or Smart Mode? try again using Verbose mode.

Then remember that field extractions are related to sourcetype not to index, so check if the sourcetypes when you run your search on 7 days are the same in 4/24 hours.

At least, remember that fields are showed only when they are present in results.
In addition, if you have few occurrences of a field in search results, it's possible that field isn't displayed: you can force display putting the field between Selected Fields, in this way it's showed even if it has few values.

Ciao.
Giuseppe

Re: Missing fields in the index

iamsplunker31 — Thu, 24 Oct 2019 13:26:28 GMT

Hi @gcusello , Thank you for your reply

Yes, I'm running my search in Verbose mode only
The sourcetype hasn't changed when I ran the search for last 7 days/ 24 hours ,I displayed all fields with in the event.
As you mentioned, The fields are may not be present in the results in selected time period(last 24hours)?
Thanks

Re: Missing fields in the index

gcusello — Thu, 24 Oct 2019 13:55:41 GMT

Hi iamsplunker31
you're welcome!
if this answer solves your problem, please accept and/or upvote it.
Ciao and next time!
Giuseppe