topic Default fields are not visible in Splunk Search

Default fields are not visible

ChhayaV — Mon, 28 Sep 2020 14:08:32 GMT

Hi,
When I search with particular sourcetype, I get all the data and fields which are extracted are shown on the left side of the flashtimeline. But I'm not getting default fields like date_month, date_hour in interesting field section. Am I missing anything here?

Re: Default fields are not visible

jtworzydlo — Thu, 20 Jun 2013 14:01:50 GMT

Are the fields also unavailable under the "View all X fields" link?

Re: Default fields are not visible

ChhayaV — Fri, 21 Jun 2013 06:15:43 GMT

yeah there not available even in "View all x fields" link.

Re: Default fields are not visible

Ayn — Fri, 21 Jun 2013 08:51:44 GMT

Which specific fields are you missing? Just the date_* fields? Because these are not available for all sources, for instance they are not present for Windows event logs, among others.

Re: Default fields are not visible

ChhayaV — Fri, 21 Jun 2013 09:09:32 GMT

date_* fields and some timeendpos, timestartpos fields. I've loaded sharepoint logs. For the same logs in previous indexer they were visible. But in new indexer i've loaded same logs but they're not visible.

Re: Default fields are not visible

Ayn — Fri, 21 Jun 2013 09:29:02 GMT

Seems like fields related to the time processor. In event logs at least these are not included because the time processor is not invoked in the same way as regular file monitor based inputs. You could always recreate the date_* fields using eval's strftime function.

Re: Default fields are not visible

ChhayaV — Fri, 21 Jun 2013 11:48:06 GMT

"Seems like fields related to the time processor. In event logs at least these are not included because the time processor is not invoked in the same way as regular file monitor based inputs."

I didn't understand this.If possible can u explain me in simple language?

Re: Default fields are not visible

linu1988 — Mon, 28 Sep 2020 14:08:48 GMT

Hello Chhaya,
i faced the same problem when i extracted the time from the log instead of using the Splunk's event timings. However as "AYN" suggested, you can use strftime to get those fields. It's pretty easy.

Try this:
Your search|eval date_mday=strftime(_time,"%d")|eval date_month=strftime(_time,"%b")|table date_mday,date_month

By this way you will be able to use them at search time for charting/stats related queries.

Re: Default fields are not visible

ChhayaV — Mon, 28 Sep 2020 14:09:58 GMT

Hi linu1988,

If i run search like this

sourcetype="INSPRODSP" |eval date_mday=strftime(_time,"%d")|eval date_month=strftime(_time,"%b")|table date_mday,date_month

INSPRODSP has my all data, if run above query will this affect the existing timestamp of indexed events?

Or it'll just give me the default fields ?

I'm asking this because, I just want to make sure that above query will not affect the existing indexed data!!

Re: Default fields are not visible

Ayn — Tue, 25 Jun 2013 06:28:16 GMT

You can never change data in the index, so you don't have to worry.

Re: Default fields are not visible

jfunderburg — Mon, 16 Oct 2017 17:57:40 GMT

BUt if you eval on search head it is extremely slow process verse having the indexer only return valid data. I am now trying this with a 7.0.0 universal forwarder and the same issue STILL exists... When is splunk going to fix this obvious mistake?