Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a limit on the number of selected or interesting fields in Splunk?

Kukkadapu
Path Finder
‎05-12-2016 02:17 PM

Hi,

I have a log statement with almost 100 fields. When searched, it doesn't show all the fields in Selected fields nor in All fields tab. Is there a limitation for the number of fields in Splunk? If so, where do I change it?

I used the table command to make sure the missing fields are there, it's just not showing in the panel to the left.

Thanks.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-12-2016 02:29 PM

The select fields menu filters by events with greater than 1% match by default. Did you change that?

alt text

Preview file
1 KB
0 Karma
Reply

sgadde
Explorer
‎01-25-2017 03:45 AM

Check the answer by veganjay here: https://answers.splunk.com/answers/129773/advice-for-when-you-have-more-than-100-automatically-extra...
It worked for me.

0 Karma
Reply

Kukkadapu
Path Finder
‎05-12-2016 02:33 PM

Jkat54, I've the same settings. The coverage is 1% or more.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-12-2016 02:45 PM

Change it to All Fields.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-12-2016 02:46 PM

Also be sure you're searching in verbose mode.

0 Karma
Reply

Kukkadapu
Path Finder
‎05-12-2016 02:50 PM

Yes, I tried it , but no luck. It doesn't show all the fields.

0 Karma
Reply

Kukkadapu
Path Finder
‎05-12-2016 02:51 PM

But if I pipe

| fields abc then abc is showed in the fields list. But without that it doesn't show.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-12-2016 03:59 PM

Does it show in the fields picker if you change from 1% coverage to show all fields and then type the field name into the seacb bar in the fields picker? If so, just select the fields you want to see by default and they'll always be selected for your user when you're in that app context.

0 Karma
Reply

Kukkadapu
Path Finder
‎05-12-2016 04:26 PM

NO, It doesn't show even if I change the coverage

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-13-2016 02:46 AM

I believe the other thing it does which may be causing the issue, is it only samples a certain number of events. I believe the limit is set under [associate] in limits.conf but i'm not 100% sure. I recommend opening a support case to get a definitive answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...