https://community.splunk.com/t5/Splunk-Search/What-is-an-interesting-field/m-p/417960#M169214 <P>@vipmakka, go through <A href="https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html">Splunk Fundamentals 1</A> free course where module 3 talks about this in details. </P> <P>Once you complete the self paced e-learning course you are eligible to take an exam and become Splunk Certified User as well <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 24 May 2018 18:56:01 GMT niketn 2018-05-24T18:56:01Z https://community.splunk.com/t5/Splunk-Search/What-is-an-interesting-field/m-p/417956#M169210 <PRE><CODE>sourcetype=access_combined | fields clientip host action status </CODE></PRE> <P>All Fields<BR /> Selected Fields<BR /> aaction 5<BR /> ahost 3<BR /> Interesting Fields<BR /> aclientip 100+</P> <H1>status 9</H1> Thu, 24 May 2018 17:26:59 GMT https://community.splunk.com/t5/Splunk-Search/What-is-an-interesting-field/m-p/417956#M169210 vipmakka 2018-05-24T17:26:59Z https://community.splunk.com/t5/Splunk-Search/What-is-an-interesting-field/m-p/417957#M169211 <P>Interesting fields are key-value pairs that Splunk extracts when searching the data. When you dispatch a search, Splunk will try to identify delimiters such as an equal sign or colon and assign the value on the left as the field and the value on the right as the value. It will then take these key-value pairs and list them under <CODE>interesting fields</CODE> if that fields is atleast 20% of the search range by default. You can pop open the fields at the bottom of the selection and select any fields that you want at the top and they become <CODE>selected fields</CODE></P> <P><A href="http://docs.splunk.com/Documentation/SplunkCloud/7.0.3/Knowledge/Aboutfields">http://docs.splunk.com/Documentation/SplunkCloud/7.0.3/Knowledge/Aboutfields</A></P> Thu, 24 May 2018 18:08:03 GMT https://community.splunk.com/t5/Splunk-Search/What-is-an-interesting-field/m-p/417957#M169211 skoelpin 2018-05-24T18:08:03Z https://community.splunk.com/t5/Splunk-Search/What-is-an-interesting-field/m-p/417958#M169212 <P>Thank you skoelpin!</P> Thu, 24 May 2018 18:12:01 GMT https://community.splunk.com/t5/Splunk-Search/What-is-an-interesting-field/m-p/417958#M169212 vipmakka 2018-05-24T18:12:01Z https://community.splunk.com/t5/Splunk-Search/What-is-an-interesting-field/m-p/417959#M169213 <P>In addition, @DalJeanis commented at <A href="https://answers.splunk.com/answers/560735/why-sometimes-sourcetype-doesnt-appear-under-selec.html">Why sometimes sourcetype doesn't appear under Selected Fields?</A></P> <P>-- An interesting field is any field that appears in 20% or more of the data, but is not a selected field. (You can change the 20% number if you want.)</P> Thu, 24 May 2018 18:50:26 GMT https://community.splunk.com/t5/Splunk-Search/What-is-an-interesting-field/m-p/417959#M169213 ddrillic 2018-05-24T18:50:26Z https://community.splunk.com/t5/Splunk-Search/What-is-an-interesting-field/m-p/417960#M169214 <P>@vipmakka, go through <A href="https://www.splunk.com/en_us/training/free-courses/splunk-fundamentals-1.html">Splunk Fundamentals 1</A> free course where module 3 talks about this in details. </P> <P>Once you complete the self paced e-learning course you are eligible to take an exam and become Splunk Certified User as well <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 24 May 2018 18:56:01 GMT https://community.splunk.com/t5/Splunk-Search/What-is-an-interesting-field/m-p/417960#M169214 niketn 2018-05-24T18:56:01Z https://community.splunk.com/t5/Splunk-Search/What-is-an-interesting-field/m-p/417961#M169215 <P>@ddrillic "You can change the 20% number if you want." Where? Which .conf file or Splunk Web page?</P> Mon, 10 Jun 2019 21:21:55 GMT https://community.splunk.com/t5/Splunk-Search/What-is-an-interesting-field/m-p/417961#M169215 DUThibault 2019-06-10T21:21:55Z https://community.splunk.com/t5/Splunk-Search/What-is-an-interesting-field/m-p/417962#M169216 <P>Hi @DUThibault , did you get any scope on where we can change this Interesting field filtering percentage?</P> Thu, 10 Oct 2019 03:16:54 GMT https://community.splunk.com/t5/Splunk-Search/What-is-an-interesting-field/m-p/417962#M169216 bishtk 2019-10-10T03:16:54Z https://community.splunk.com/t5/Splunk-Search/What-is-an-interesting-field/m-p/558241#M169217 <P>where are these extractions defined? I do not see anything under props.conf on search head which comes with default Splunk.</P><P>&nbsp;</P><PRE>EXTRACT-&lt;class&gt; = [&lt;regex&gt;|&lt;regex&gt; in &lt;src_field&gt;]</PRE><P>For example: if I search for&nbsp;</P><P>index=_internal sourcetype=splunkd, I see a range of fields in "interesting fields".</P><P>Where in props.conf is the corresponding EXTRACT-&lt;class&gt; defined for it?&nbsp;</P><P>I assume: Selected fields= index time fields.</P><P>Interesting fields=search time extracted fields</P> Sun, 04 Jul 2021 05:22:01 GMT https://community.splunk.com/t5/Splunk-Search/What-is-an-interesting-field/m-p/558241#M169217 goelt2000 2021-07-04T05:22:01Z