topic Re: Websites that describes about Interesting Fields? in Splunk Search

Websites that describes about Interesting Fields?

keldridg2 — Fri, 16 Aug 2019 14:02:51 GMT

Is there a website on Splunk docs that describe about interesting fields and what each field is about? I did research on trying to find what these field names are but still I do not know what they do. Some of the interesting fields I do not understand are RecordNumber and package.

Re: Websites that describes about Interesting Fields?

solarboyz1 — Fri, 16 Aug 2019 15:00:18 GMT

Interesting fields, are just the other fields extracted from the events.

Information on the fields extracted from an event, if available, would be found in the documentation of the add-on used to extract the fields.

You may need to go back to the documentation of the application/appliance/etc producing the events.

NOTE: Some sourcetype, like weblogs that contain text that gets recognized as key=value pairs. For example a CGI web request :

/en-US/app/search/search?display.general.type=statistics&display.page.search.tab=statistics&display.page.search.mode=fast&dispatch.sample_ratio=1

Splunk by default will extract these key=value pairs, and if enough events contain them, they would show up under interesting fields. Despite the fact that the fields are not actually valid fields for that event.

Re: Websites that describes about Interesting Fields?

richgalloway — Fri, 16 Aug 2019 15:02:16 GMT

There can be no such Splunk document. Field names and their contents vary wildly depending on the source of the data. To find out what a 'RecordNumber' or a 'package' is you would have to consult the documentation of the product that produced those fields.

Re: Websites that describes about Interesting Fields?

keldridg2 — Fri, 16 Aug 2019 15:12:08 GMT

Basically just look at where the information form that product is coming from in order to make sense of what that field name is about. Sometimes with the documentation I see these fields being used like the other people know what that person means and question how they do know what there purpose of their function.

Re: Websites that describes about Interesting Fields?

richgalloway — Fri, 16 Aug 2019 15:40:30 GMT

Basically, yes. Product documentation is often written for people already familiar with the product (not so much with Spunk) so it helps to find a person with experience using that product to help you make sense of the data.

Re: Websites that describes about Interesting Fields?

keldridg2 — Fri, 16 Aug 2019 15:50:06 GMT

Thanks for the help.