Dear all,
I have a suspicious case using Splunk 7.2. I have a data source type with about 15k rows. Each row is about 164 fields.
Some of the fields have few values. Most of the time they are empty (null).
When I run my search, one of my fields is not showing. The command is very basic
index=<myindex> sourcetype=<mysourcetype>
My field is not showing up. Even if I use the "Extract New Fields" option (and after selection "All Fields" in the popup).
When I run the same command with the following...
index=<myindex> sourcetype=<mysourcetype> <myfield>=*
...then it shows the field in the result. Which means that the field exists in the previous result.
But why doesn't that field show up in the first result ?
Not that I have increased the limit in order to show all fields
My limits.conf
[search]
min_freq=0
Thank you in advance for your answer.
@ecoquelin
Can you please compare the result of below both search?
index=<myindex> sourcetype=<mysourcetype> | fieldsummary | search field="< myfield>" | table field count distinct_count values
index=<myindex> sourcetype=<mysourcetype> < myfield>=* | fieldsummary | search field="< myfield>" | table field count distinct_count values
Here I want to see the behaviour of your both searches.
Updated Answer:
When field discovery is enabled, Splunk software identifies and extracts the first 50 fields that it finds in the event data that match obvious key=value
pairs. This 50 field limit is a default that you can modify by editing the [kv]
stanza in limits.conf.
In our case, we have updated [kv]
in limits.conf with the 200.
Thanks
@ecoquelin
Can you please compare the result of below both search?
index=<myindex> sourcetype=<mysourcetype> | fieldsummary | search field="< myfield>" | table field count distinct_count values
index=<myindex> sourcetype=<mysourcetype> < myfield>=* | fieldsummary | search field="< myfield>" | table field count distinct_count values
Here I want to see the behaviour of your both searches.
Updated Answer:
When field discovery is enabled, Splunk software identifies and extracts the first 50 fields that it finds in the event data that match obvious key=value
pairs. This 50 field limit is a default that you can modify by editing the [kv]
stanza in limits.conf.
In our case, we have updated [kv]
in limits.conf with the 200.
Thanks
In the first case, i have no (0) result, in the second case, I have fieldsummary result with the expected field
@ecoquelin
Well, the event has 164 fields. So can you please try to do below configuration in limit.conf?
[kv]
limit = 200
That works perfectly.
Thank you very much !!
@ecoquelin
Glad to help you. I have updated my answer. Please refer the given link for more information and upvote my comments.
!!! Happy Splunking !!!