Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my field not showing up with the following search query?

ecoquelin
Explorer
‎11-03-2018 09:58 AM

Dear all,

I have a suspicious case using Splunk 7.2. I have a data source type with about 15k rows. Each row is about 164 fields.

Some of the fields have few values. Most of the time they are empty (null).

When I run my search, one of my fields is not showing. The command is very basic

index=<myindex> sourcetype=<mysourcetype>

My field is not showing up. Even if I use the "Extract New Fields" option (and after selection "All Fields" in the popup).

When I run the same command with the following...

index=<myindex> sourcetype=<mysourcetype> <myfield>=*

...then it shows the field in the result. Which means that the field exists in the previous result.

But why doesn't that field show up in the first result ?

Not that I have increased the limit in order to show all fields

My limits.conf

[search]
min_freq=0

Thank you in advance for your answer.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-03-2018 10:15 AM

@ecoquelin

Can you please compare the result of below both search?

index=<myindex> sourcetype=<mysourcetype> | fieldsummary | search field="< myfield>" | table field count distinct_count values


index=<myindex> sourcetype=<mysourcetype> < myfield>=* | fieldsummary  | search field="< myfield>"  | table field count distinct_count values

Here I want to see the behaviour of your both searches.

Updated Answer:

When field discovery is enabled, Splunk software identifies and extracts the first 50 fields that it finds in the event data that match obvious key=value pairs. This 50 field limit is a default that you can modify by editing the [kv] stanza in limits.conf.

https://docs.splunk.com/Documentation/Splunk/7.2.0/Knowledge/WhenSplunkEnterpriseaddsfields#Field_ex...

In our case, we have updated [kv] in limits.conf with the 200.

Thanks

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-03-2018 10:15 AM

@ecoquelin

Can you please compare the result of below both search?

index=<myindex> sourcetype=<mysourcetype> | fieldsummary | search field="< myfield>" | table field count distinct_count values


index=<myindex> sourcetype=<mysourcetype> < myfield>=* | fieldsummary  | search field="< myfield>"  | table field count distinct_count values

Here I want to see the behaviour of your both searches.

Updated Answer:

When field discovery is enabled, Splunk software identifies and extracts the first 50 fields that it finds in the event data that match obvious key=value pairs. This 50 field limit is a default that you can modify by editing the [kv] stanza in limits.conf.

https://docs.splunk.com/Documentation/Splunk/7.2.0/Knowledge/WhenSplunkEnterpriseaddsfields#Field_ex...

In our case, we have updated [kv] in limits.conf with the 200.

Thanks

Reply
Solved! Jump to solution

ecoquelin
Explorer
‎11-03-2018 10:38 AM

In the first case, i have no (0) result, in the second case, I have fieldsummary result with the expected field

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-03-2018 10:48 AM

@ecoquelin

Well, the event has 164 fields. So can you please try to do below configuration in limit.conf? 

[kv]
limit = 200
0 Karma
Reply
Solved! Jump to solution

ecoquelin
Explorer
‎11-03-2018 10:51 AM

That works perfectly.

Thank you very much !!

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-03-2018 10:59 AM

@ecoquelin

Glad to help you. I have updated my answer. Please refer the given link for more information and upvote my comments.

!!! Happy Splunking !!!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...