https://community.splunk.com/t5/Splunk-Search/Problem-with-field-extraction/m-p/122616#M33054 <P>Hello</P> <P>I am having some pretty weird issues with field extraction on 6.2. When I perform this search:</P> <BLOCKQUOTE> <P><STRONG><EM>65932</EM></STRONG></P> </BLOCKQUOTE> <P>It returns 1,668 events, which is perfectly fine - as well as about 34 fields. It also returns three sourcetypes. It doesn't return all the fields I want however, so I run this search:</P> <BLOCKQUOTE> <P><STRONG><EM>65932</EM></STRONG> (sourcetype="wa_contacts" OR sourcetype="wa_messages" OR sourcetype="contacts_data")</P> </BLOCKQUOTE> <P>It then returns the same 1,668 events, however, this time there are signifcantly more fields - about 50 of them. Why is this happening?</P> <P>Thanks for any help.</P> Mon, 28 Sep 2020 18:48:27 GMT nyp_kwyc 2020-09-28T18:48:27Z https://community.splunk.com/t5/Splunk-Search/Problem-with-field-extraction/m-p/122616#M33054 <P>Hello</P> <P>I am having some pretty weird issues with field extraction on 6.2. When I perform this search:</P> <BLOCKQUOTE> <P><STRONG><EM>65932</EM></STRONG></P> </BLOCKQUOTE> <P>It returns 1,668 events, which is perfectly fine - as well as about 34 fields. It also returns three sourcetypes. It doesn't return all the fields I want however, so I run this search:</P> <BLOCKQUOTE> <P><STRONG><EM>65932</EM></STRONG> (sourcetype="wa_contacts" OR sourcetype="wa_messages" OR sourcetype="contacts_data")</P> </BLOCKQUOTE> <P>It then returns the same 1,668 events, however, this time there are signifcantly more fields - about 50 of them. Why is this happening?</P> <P>Thanks for any help.</P> Mon, 28 Sep 2020 18:48:27 GMT https://community.splunk.com/t5/Splunk-Search/Problem-with-field-extraction/m-p/122616#M33054 nyp_kwyc 2020-09-28T18:48:27Z https://community.splunk.com/t5/Splunk-Search/Problem-with-field-extraction/m-p/122617#M33055 <P>Perhaps the extractions changed due to some smart mode changes.I would start by trying to change search mode to verbose, adding "FIELDNAME=*" or specifying fields to gather more info.</P> Fri, 30 Jan 2015 03:31:29 GMT https://community.splunk.com/t5/Splunk-Search/Problem-with-field-extraction/m-p/122617#M33055 chanfoli 2015-01-30T03:31:29Z https://community.splunk.com/t5/Splunk-Search/Problem-with-field-extraction/m-p/122618#M33056 <P>One of your sourcetypes is associated to either a builtin recognized sourcetype, or you have a TA that is extracting those fields for one of your source types.</P> Fri, 30 Jan 2015 03:58:09 GMT https://community.splunk.com/t5/Splunk-Search/Problem-with-field-extraction/m-p/122618#M33056 esix_splunk 2015-01-30T03:58:09Z https://community.splunk.com/t5/Splunk-Search/Problem-with-field-extraction/m-p/122619#M33057 <P>Hi </P> <P>Thanks for the help.</P> <P>@chanfoli: No, changing the search to verbose mode does not help - the results are the same. Adding FIELDNAME=* does not help either. This is because the search, whether in verbose or smart mode, does not extract the fields in the first place.</P> <P>@esix_splunk: Perhaps - some of the sourcetypes are CSV files, perhaps its associated to a built-in CSV sourcetype. Could this be the case? I don't believe I have any TAs installed on my Splunk installation.</P> <P>I believe that the following issue is related to this matter.</P> <P>When I perform this search</P> <BLOCKQUOTE> <P>(sourcetype="wa_messages" OR sourcetype="sms")</P> </BLOCKQUOTE> <P>I get 42 fields. However, if I add one more sourcetype to this search, I get less fields (34 of them). This is causing issues with finding relevant data. Is there any way to solve this?</P> <P>thanks</P> Mon, 02 Feb 2015 01:07:43 GMT https://community.splunk.com/t5/Splunk-Search/Problem-with-field-extraction/m-p/122619#M33057 nyp_kwyc 2015-02-02T01:07:43Z