Archive
Highlighted

Default fields are not visible

Communicator

Hi,
When I search with particular sourcetype, I get all the data and fields which are extracted are shown on the left side of the flashtimeline. But I'm not getting default fields like datemonth, datehour in interesting field section. Am I missing anything here?

0 Karma
Highlighted

Re: Default fields are not visible

Path Finder

Are the fields also unavailable under the "View all X fields" link?

0 Karma
Highlighted

Re: Default fields are not visible

Communicator

yeah there not available even in "View all x fields" link.

0 Karma
Highlighted

Re: Default fields are not visible

Legend

Which specific fields are you missing? Just the date_* fields? Because these are not available for all sources, for instance they are not present for Windows event logs, among others.

0 Karma
Highlighted

Re: Default fields are not visible

Communicator

date_* fields and some timeendpos, timestartpos fields. I've loaded sharepoint logs. For the same logs in previous indexer they were visible. But in new indexer i've loaded same logs but they're not visible.

0 Karma
Highlighted

Re: Default fields are not visible

Legend

Seems like fields related to the time processor. In event logs at least these are not included because the time processor is not invoked in the same way as regular file monitor based inputs. You could always recreate the date_* fields using eval's strftime function.

Highlighted

Re: Default fields are not visible

Communicator

"Seems like fields related to the time processor. In event logs at least these are not included because the time processor is not invoked in the same way as regular file monitor based inputs."

I didn't understand this.If possible can u explain me in simple language?

0 Karma
Highlighted

Re: Default fields are not visible

Champion

Hello Chhaya,
i faced the same problem when i extracted the time from the log instead of using the Splunk's event timings. However as "AYN" suggested, you can use strftime to get those fields. It's pretty easy.

Try this:
Your search|eval datemday=strftime(time,"%d")|eval datemonth=strftime(time,"%b")|table datemday,datemonth

By this way you will be able to use them at search time for charting/stats related queries.

View solution in original post

Highlighted

Re: Default fields are not visible

Communicator

Hi linu1988,

If i run search like this

sourcetype="INSPRODSP" |eval datemday=strftime(time,"%d")|eval datemonth=strftime(time,"%b")|table datemday,datemonth

INSPRODSP has my all data, if run above query will this affect the existing timestamp of indexed events?

Or it'll just give me the default fields ?

I'm asking this because, I just want to make sure that above query will not affect the existing indexed data!!

0 Karma
Highlighted

Re: Default fields are not visible

Legend

You can never change data in the index, so you don't have to worry.

0 Karma