Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Stash logs

sara
New Member
‎03-25-2026 07:16 AM

 we are unable to create further detections in ES because some key fields are missing in the stash logs. After reviewing the source logs, I found that the entity fields are marked as    unknown.

We have been informed that these are internal logs, so raising a support case is not an option.

How can we identify the root cause of the missing data and determine why these fields are not being populated?

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-25-2026 09:51 AM

Hi @sara 

Can you provide an exampe of the events which are missing fields?

Splunk Support will still usually assist where they can with issues like this if the data is being generated by your Splunk deployment, if the events missing fields are coming from outside of Splunk then I imagine we wont be able to help too much but if its generated within Splunk then support should help.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-25-2026 07:31 AM

What stash logs? What source logs?

Are you trying to run your detections on some summarized data?

What internal logs are you talking about?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...