topic Re: Undefined Fields are in Splunk in Splunk Search

Undefined Fields are in Splunk

kpavan — Mon, 27 Oct 2014 08:45:03 GMT

Hi All,

Am getting undefined fields in splunk, since all my conf files are configured correctly. If am searching the logs with less than 15 min am getting the fields correctly, but if the search period is more than 15min all my fields state are undefined. What would be the issue could you please help me find solution and fix.

Thanks!

Re: Undefined Fields are in Splunk

tom_frotscher — Mon, 27 Oct 2014 10:51:38 GMT

Could you provide some sample results were it went correctly and incorrectly?

Re: Undefined Fields are in Splunk

kpavan — Mon, 28 Sep 2020 18:00:59 GMT

Below are example logs

Logs are undefined fields:
10/28/2014 06:28:50 -0700 - AUTHZ_SUCCESS - GET - hostname/group/reports/-/consumer/WSRP_10132_332e2c30_0bb44ddba59baef8c2c8226f/normal/view/cacheLevelPage/WDJOMWMzUnZiVkpsY0c5eWRITlFiM0owYkdWMFgxZEJVbDlwWTJWd2IzSjBZV3hmZDNOeWNEMHg*?p_p_lifecycle=2&p_p_resource_id=getReportList&p_p_col_id=column-3&p_p_col_count=1&_WSRP_10132_332e2c300bb44ddba59baef8c2c8226f_wsrp-resourceCacheability=cacheLevelPage&undefined=undefined&=1414474130364 - uid=xyz,ou=users,ou=people,dc=xyz,dc=com - 06:28:50 - http - xyz_webgate - - 2uid=qatest110781@zys.com

Logs are defined and correct fields
0/28/2014 07:24:39 -0700 - AUTHZ_SUCCESS - GET - HOSTNAME- x.x.x.x - www.xyz.com/autologin - uid=stefanlay@xyz.com ,ou=customers,ou=people,dc=xyz,dc=com - 07:24:39 - http - xyz - - 2uid=stefanlay@xyz.com

Re: Undefined Fields are in Splunk

Muryoutaisuu — Tue, 09 Dec 2014 08:43:03 GMT

We have the same phenomenon too.
One single event messes up all fields. If searched without that event, everything works great. As soon as the specific event is loaded, the following happens:

The list of fields on the left seems normal at first glance, numbers on the right of each field indicate number of different results as usual
When clicking on a field link, the box shows up and the field is named "undefined"
Although the field should have 19 different values, there shows up only one value "null" with 100% occurrence and count=5, for each field!
Below the title in this box it says: "1 Value, 0.001% of events"
When shortened the timerange, I even get "1 Value, 0% of events" on 112 found results. How can it have a value but not affecting any event? Still, the value is "null"

However, analysing the data still works. So a | stats count by shows data and count with proper values, even with the evil event!

This happened to me for the very first and only time. When comparing the two events, I don't see any differences in the pattern.
I'm sorry but I'm not allowed to share the events because of data privacy reasons.
I still hope this might help for further investigation.